Re: self-signed

On Wed, Apr 13, 2011 at 10:16 PM, peter williams <> wrote:
> A self-signed cert is not a cert. Therefore using one is not a cert-using
> system. We are just borrowing the format, formally.

Actually, a self-signed cert /is/ a cert. Root CA certificates of
todays PKI are great examples of self-signed certs [1].

It is up to the WebID authorizer and its own local policy whether to
validate a certificate's issuer (if any), check CRLs, OCSP, etc. Fully
open WebID authorizers will be very lenient (no cert validation).

You're right we borrowed the format. Lets standardize all
inter-operable metadata containers to RDF/JSON including x509. But why
wait for SSL to go RDF when we can bootstrap working endpoints and
users on todays Apache/SSL systems?

I agree that Hans' criticals verification is silly in a "WebID
environment" (SSLVerifyClient optional_no_ca). Here's the flag that
stops it: /usr/include/openssl/x509_vfy.h:371:#define


Joe Presbrey

Received on Thursday, 14 April 2011 03:26:25 UTC