On Wed, Apr 13, 2011 at 10:16 PM, peter williams <home_pw@msn.com> wrote: > A self-signed cert is not a cert. Therefore using one is not a cert-using > system. We are just borrowing the format, formally. Actually, a self-signed cert /is/ a cert. Root CA certificates of todays PKI are great examples of self-signed certs [1]. It is up to the WebID authorizer and its own local policy whether to validate a certificate's issuer (if any), check CRLs, OCSP, etc. Fully open WebID authorizers will be very lenient (no cert validation). You're right we borrowed the format. Lets standardize all inter-operable metadata containers to RDF/JSON including x509. But why wait for SSL to go RDF when we can bootstrap working endpoints and users on todays Apache/SSL systems? I agree that Hans' criticals verification is silly in a "WebID environment" (SSLVerifyClient optional_no_ca). Here's the flag that stops it: /usr/include/openssl/x509_vfy.h:371:#define X509_V_FLAG_IGNORE_CRITICAL 0x10 [1].http://en.wikipedia.org/wiki/Self-signed_certificate -- Joe PresbreyReceived on Thursday, 14 April 2011 03:26:25 UTC
This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:44 UTC