Re: Request for Review of WebID specs before publishing

On Fri, Sep 6, 2013 at 9:41 PM, Erich Bremer <erich@ebremer.com> wrote:

>  On that note, should we add language to support certificate revocation
> lists in the cert ontology?
> See: http://www.ietf.org/rfc/rfc5280.txt
> 3.3 Revocation
> and
> 5.3.1. Reason Code
>
>
>    CRLReason ::= ENUMERATED {
>         unspecified             (0),
>         keyCompromise           (1),
>         cACompromise            (2),
>         affiliationChanged      (3),
>         superseded              (4),
>         cessationOfOperation    (5),
>         certificateHold         (6),
>              -- value 7 is not used
>         removeFromCRL           (8),
>         privilegeWithdrawn      (9),
>         aACompromise           (10) }
>
> If like you say, someone breaks RSA (like NSA ;-), how do we indicate in a standardize way to the WebID community why a key was disabled?  Deleting a key cuts off any issues, but if I am trying to validate why Henry posted something "not so nice" about me on https://my-profile.eu/ on 11/1/2013, it could have been a hacker who stole his private key.  Henry then, with CRL language in his WebID profile could indicate that a particular key was compromised on 11/2/2013 with a "cACompromise". Now instead of guessing, I have an idea that it wasn't probably him.  - Erich
>
> True, but in that case, there is no indication that a particular key was
used by Henry when he auth'd to https://my-profile.eu/ when he posted. This
mechanism would involve a full traceability of the user's actions, on all
the services he visited. Maybe we drop it for now and open an ISSUE on the
tracker, to deal with it once we're done with the review.

Andrei


>
>
> On 09/06/13 3:22 PM, Andrei Sambra wrote:
>
> On Fri, Sep 6, 2013 at 9:14 PM, Erich Bremer <erich@ebremer.com> wrote:
>
>>   https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html
>>  2.2.1.1 Cryptographic Vocabulary
>>
>> "The following properties *should* be used when conveying the relation
>> between the Subject<https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html#dfn-subject>
>>  and his or her key, within WebID Profile<https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html#dfn-webid_profile>
>>  documents:"
>> Shouldn't "SHOULD" be "MUST"?  - Erich
>>
>
>  Good question!
>
>  I've been recently thinking about that section. I think SHOULD is ok for
> now, as long as we mention that WebID-TLS supports multiple encryption
> algorithms that are available for TLS.
>
>  And now...what if tomorrow we find out that a new attack completely
> breaks RSA? This is probably a question that we can ask once we move to a
> WG.
>
>  Andrei
>
>
>>
>>
>>
>> On 09/05/13 9:52 AM, Henry Story wrote:
>>
>> Dear WebID Community Group,
>>
>>   we now have three specs up on github here
>>
>>    https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index.html
>>
>> All editors think that it is time to publish a new version
>> on the W3C WebID Incubator space, to finalise the distinction
>> between WebID, WebID-TLS, and the cert ontology.
>>
>> So we would like to be able to publish the specs above
>> at the following location, by Friday 20 September 2013
>>
>>   http://www.w3.org/2005/Incubator/webid/spec/
>>
>> We would be very happy to receive feedback from
>> the community before doing so. If you can spot
>> any errors or improvements please let us know,
>> we'll do our best to get them in before publication.
>>
>>    Thanks,
>>
>>   Henry Story
>>
>>
>> Social Web Architecthttp://bblfish.net/
>>
>>
>>
>
>