Re: Signalling WebID Certificates - the CN=WebID, O={} CA from Henry Story on 2013-12-08 (public-webid@w3.org from December 2013)

From: Henry Story <henry.story@bblfish.net>
Date: Sun, 8 Dec 2013 11:54:45 +0100
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Cc: public-webid WebID Group <public-webid@w3.org>
Message-Id: <541EC9C5-6D83-4587-8A51-2635947C095D@bblfish.net>

On 7 Dec 2013, at 17:45, Anders Rundgren <anders.rundgren.net@gmail.com> wrote:

> On 2013-12-07 16:56, Henry Story wrote:
> 
>>   certificate_authorities
>>      A list of the distinguished names [X501] of acceptable
>>      certificate_authorities, represented in DER-encoded format.  These
>>      distinguished names may specify a desired distinguished name for a
>>      root CA or for a subordinate CA; thus, this message can be used to
>>      describe known roots as well as a desired authorization space.  If
>>      the certificate_authorities list is empty, then the client MAY
>>      send any certificate of the appropriate ClientCertificateType,
>>      unless there is some external arrangement to the contrary.
>> 
>> Now there may be other ways to solve the problem. That is why I sent a mail 
>> to the current IETF TLS mailing list, to check if there were
>> other possibilities current or ones that were being prepared for
>> future specs.
> 
> The TLS WG have expressed no interests in such issues.
> 
> Not even implementations care about the spec extract you refer to:
> https://code.google.com/p/android/issues/detail?id=38393

Bugs get fixed. As we deploy WebID more there will be more backlash
against such bugs, and so they'll get fixed faster.

> 
> The TLS credential filtering is clearly inferior but the TLS WG seems to take pride in ignoring consumers in similarity to many other IETF groups.
> PKIX latest certificate enrollment protocol (EST) does neither address the web, nor address mobile banking using "Apps".
> It remains a mystery (to me at least) what EST is actually targeting.
> 
> Possibly the whole space consumer-PKI is outside of the range of current SDOs.
> W3C's WebCrypto failed on this one as well so it seems that this is close to a "Universal Truth".

There is a lot of change going on since Snowden's revelations. So I think
you are going to need to revise a lot of your assumptions.
See:
  http://www.economist.com/blogs/babbage/2013/11/internet-after-snowden

And Bruce Schneier's talk at the IETF special meeting
  http://www.youtube.com/watch?v=oV71hhEpQ20

Henry

> 
> Cheers
> Anders
> 

Social Web Architect
http://bblfish.net/

Received on Sunday, 8 December 2013 10:55:18 UTC