- From: Joe Presbrey <presbrey@csail.mit.edu>
- Date: Wed, 13 Apr 2011 23:10:06 -0400
- To: peter williams <home_pw@msn.com>
- Cc: nathan@webr3.org, Henry Story <henry.story@bblfish.net>, WebID XG <public-xg-webid@w3.org>
On Wed, Apr 13, 2011 at 10:16 PM, peter williams <home_pw@msn.com> wrote: > A self-signed cert is not a cert. Therefore using one is not a cert-using > system. We are just borrowing the format, formally. Actually, a self-signed cert /is/ a cert. Root CA certificates of todays PKI are great examples of self-signed certs [1]. It is up to the WebID authorizer and its own local policy whether to validate a certificate's issuer (if any), check CRLs, OCSP, etc. Fully open WebID authorizers will be very lenient (no cert validation). You're right we borrowed the format. Lets standardize all inter-operable metadata containers to RDF/JSON including x509. But why wait for SSL to go RDF when we can bootstrap working endpoints and users on todays Apache/SSL systems? I agree that Hans' criticals verification is silly in a "WebID environment" (SSLVerifyClient optional_no_ca). Here's the flag that stops it: /usr/include/openssl/x509_vfy.h:371:#define X509_V_FLAG_IGNORE_CRITICAL 0x10 [1].http://en.wikipedia.org/wiki/Self-signed_certificate -- Joe Presbrey
Received on Thursday, 14 April 2011 03:26:25 UTC