Re: FAQ on creating certificates for every language

On 8 Apr 2011, at 10:42, Henry Story wrote:

> Thanks Mo,
> 
>  this is very useful. It should find its way on the HOWTO page of the wiki, directly or via a link to a blog  or to this post.

When I get time, I'll try to get it up at some point if nobody else gets there first…

> At some point we will need to work out what the IETF right way is to create a cert, as well as know what works, so that we can specify exactly the minimum needed for WebID certs. Then we could set up a test suite for those, to analyse them, and explain what in the certificate is correct, what is acceptable, what we don't know,... 

>From a WebID perspective, Postel's law probably applies, I guess… a server should really only care if the SAN is present, the RDF can be retrieved, and it all paints a coherent picture. Meanwhile, the cert generation should aim to be as compatible as possible, so I guess the testsuite would need to consist of a 'test your client cert' which is very strict, and a 'test your server' which sends all kinds of horrible things to the server :-) The latter is probably easier. generating nasty certificates where the only consistent part is the presence of the SAN is the easy part...

M.

-- 
Mo McRoberts - Data Analyst - Digital Public Space,
Zone 1.08, BBC Scotland, 40 Pacific Quay, Glasgow G51 1DA,
Room 7066, BBC Television Centre, London W12 7RJ,
0141 422 6036 (Internal: 01-26036) - PGP key 0x663E2B4A




http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

Received on Friday, 8 April 2011 09:47:29 UTC