Re: WebID questions -- was: [dane] Call for Adoption: "Using Secure DNS to Associate Certificates with Domain Names For S/MIME" from Kingsley Idehen on 2012-09-26 (public-webid@w3.org from September 2012)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Wed, 26 Sep 2012 13:05:07 -0400
To: Ben Laurie <benl@google.com>
CC: Henry Story <henry.story@bblfish.net>, "public-webid@w3.org" <public-webid@w3.org>, Andrei Sambra <andrei@fcns.eu>
Message-ID: <506335C3.6010105@openlinksw.com>

On 9/26/12 11:48 AM, Ben Laurie wrote:
> On 26 September 2012 14:24, Kingsley Idehen <kidehen@openlinksw.com> wrote:
>> On 9/26/12 8:06 AM, Ben Laurie wrote:
>>> http://en.wikipedia.org/wiki/Object-capability_model  gives an overview.
>>
>> The item above was enough. That's what Linked Data facilitates, at
>> Web-scale, due to underlying architecture of the world wide web.
>>
>> You have data object resources. Each is identified using a de-referencable
>> URI.  The representation of a data object is a graph, its been so forever,
>> and long before Web ubiquity.
>>
>> Once we put the terminology distractions aside, you'll find that your object
>> capabilities == my acls :-)
> No, the point you are missing is that in capabilities the _only_
> authority I need to access a resource is the name of that resource -
> the URI in your case. Security derives from the unforgeability of the
> URI, rather than an independent system that decides if some principal
> has permission.
>
> The problem that best shows the critical difference betweens caps and
> ACLs is the confused deputy problem:
> http://en.wikipedia.org/wiki/Confused_deputy_problem.
>
>

They can too and here are the options:

1. use a circa. 2012 certificate generator (hosted, desktop, or mobile 
phone) -- you have a link to an example in one of my responses (i.e., 
http://id.myopenlink.net/certgen) re. hosted variant

2. use what the OS provides -- Windows and Mac OS X have user friendly 
Wizards for generating certificates that allow you insert a WebID in the 
certs. SAN.

In all cases, its click, click, click and then either <keygen/> kicks in 
our you have a pkcs#12 file that saved locally or sent out via email.

It's dead simple. All we have to do is revisit this vital subject matter 
with end-users. This also why I suggest revisit email signing since 
circa. 2012, the artificial tedium associated with cert. generation is 
now truly behind us.

Kingsley

-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Wednesday, 26 September 2012 17:05:35 UTC