Re: Request for Review of WebID specs before publishing from Andrei Sambra on 2013-09-06 (public-webid@w3.org from September 2013)

From: Andrei Sambra <andrei.sambra@gmail.com>
Date: Fri, 6 Sep 2013 21:58:32 +0200
To: Erich Bremer <erich@ebremer.com>
Cc: Henry Story <henry.story@bblfish.net>, "public-webid@w3.org" <public-webid@w3.org>
Message-ID: <CAFG79ei3EjafGn5EJMvDr5sC4bOqkaQWSm5wWs1GpCctWNdogg@mail.gmail.com>
On Fri, Sep 6, 2013 at 9:55 PM, Erich Bremer <erich@ebremer.com> wrote:

>  On 09/06/13 3:48 PM, Andrei Sambra wrote:
>
>
>  On Fri, Sep 6, 2013 at 9:41 PM, Erich Bremer <erich@ebremer.com> wrote:
>
>>  On that note, should we add language to support certificate revocation
>> lists in the cert ontology?
>> See: http://www.ietf.org/rfc/rfc5280.txt
>> 3.3 Revocation
>> and
>> 5.3.1. Reason Code
>>
>>
>>    CRLReason ::= ENUMERATED {
>>         unspecified             (0),
>>         keyCompromise           (1),
>>         cACompromise            (2),
>>         affiliationChanged      (3),
>>         superseded              (4),
>>         cessationOfOperation    (5),
>>         certificateHold         (6),
>>              -- value 7 is not used
>>         removeFromCRL           (8),
>>         privilegeWithdrawn      (9),
>>         aACompromise           (10) }
>>
>> If like you say, someone breaks RSA (like NSA ;-), how do we indicate in a standardize way to the WebID community why a key was disabled?  Deleting a key cuts off any issues, but if I am trying to validate why Henry posted something "not so nice" about me on https://my-profile.eu/ on 11/1/2013, it could have been a hacker who stole his private key.  Henry then, with CRL language in his WebID profile could indicate that a particular key was compromised on 11/2/2013 with a "cACompromise". Now instead of guessing, I have an idea that it wasn't probably him.  - Erich
>>
>>   True, but in that case, there is no indication that a particular key
> was used by Henry when he auth'd to https://my-profile.eu/ when he
> posted. This mechanism would involve a full traceability of the user's
> actions, on all the services he visited. Maybe we drop it for now and open
> an ISSUE on the tracker, to deal with it once we're done with the review.
>
>
> Unless the public key is kept but flagged as disabled.  That would be a
> different process though.  I was thinking in terms of digitally signed
> RDF/data with my WebID.  Perhaps you're right, flag it for later.  - Erich
>

Yes, digitally signing RDF would be great. However, unless we come up with
a canonical representation of RDF data (independent of serialization),
there is no way to do it currently.

Andrei


>
>
>
>
>  Andrei
>
>
>>
>>
>> On 09/06/13 3:22 PM, Andrei Sambra wrote:
>>
>> On Fri, Sep 6, 2013 at 9:14 PM, Erich Bremer <erich@ebremer.com> wrote:
>>
>>>   https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html
>>>  2.2.1.1 Cryptographic Vocabulary
>>>
>>> "The following properties *should* be used when conveying the relation
>>> between the Subject<https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html#dfn-subject>
>>>  and his or her key, within WebID Profile<https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/tls-respec.html#dfn-webid_profile>
>>>  documents:"
>>> Shouldn't "SHOULD" be "MUST"?  - Erich
>>>
>>
>>  Good question!
>>
>>  I've been recently thinking about that section. I think SHOULD is ok
>> for now, as long as we mention that WebID-TLS supports multiple encryption
>> algorithms that are available for TLS.
>>
>>  And now...what if tomorrow we find out that a new attack completely
>> breaks RSA? This is probably a question that we can ask once we move to a
>> WG.
>>
>>  Andrei
>>
>>
>>>
>>>
>>>
>>> On 09/05/13 9:52 AM, Henry Story wrote:
>>>
>>> Dear WebID Community Group,
>>>
>>>   we now have three specs up on github here
>>>
>>>    https://dvcs.w3.org/hg/WebID/raw-file/tip/spec/index.html
>>>
>>> All editors think that it is time to publish a new version
>>> on the W3C WebID Incubator space, to finalise the distinction
>>> between WebID, WebID-TLS, and the cert ontology.
>>>
>>> So we would like to be able to publish the specs above
>>> at the following location, by Friday 20 September 2013
>>>
>>>   http://www.w3.org/2005/Incubator/webid/spec/
>>>
>>> We would be very happy to receive feedback from
>>> the community before doing so. If you can spot
>>> any errors or improvements please let us know,
>>> we'll do our best to get them in before publication.
>>>
>>>    Thanks,
>>>
>>>   Henry Story
>>>
>>>
>>> Social Web Architecthttp://bblfish.net/
>>>
>>>
>>>
>>
>>
>
>
Received on Friday, 6 September 2013 19:59:19 UTC