- From: peter williams <home_pw@msn.com>
- Date: Fri, 15 Apr 2011 03:28:29 -0700
- CC: "'WebID XG'" <public-xg-webid@w3.org>
That's fine. But what are we saying in terms of standards? Are we saying that (a) one must have v3 certs (b) one must have extensions x y x (c) if one does meet (b), x must not do this or that? I believe webid should be *required* to work with v1 certs, and v3 certs with zero extensions. Any operating site can of course deviate from compliance and up the requirements. But the conformance test and default install test should assert the rules. Im cannot believe Im about to say this, but, given the nature of webid protocol, one could go further. A webid validator is required to ignore all extensions, critical or not. (this is because the signature on the cert need not validate). A webid validator should be able to accept a cert whose signature does not verify or whose algorithm is unrecognized. (are we willing to accept this?) -----Original Message----- From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org] On Behalf Of Joe Presbrey Sent: Wednesday, April 13, 2011 5:54 PM To: Joerg Anders Cc: WebID XG Subject: Re: self-signed Attached is a working certificate for Hans' WebID. FYI, I resigned without the critical extensions using the following procedure: # decode openssl pkcs12 -in HannesElmert.p12 -nodes > HannesElmert.pem # extract key openssl rsa -in HannesElmert.pem > hans.key # setup extensions echo -e 'basicConstraints=CA:FALSE\nsubjectAltName="URI:http://foaf.me/Hans#me"' > hans.ext # resign openssl x509 -signkey hans.key -in HannesElmert.pem -clrext -extfile hans.ext > hans.cer # pack cat hans.key hans.cer > hans.pem # export openssl pkcs12 -export -in hans.pem -nodes > hans.p12 -- Joe Presbrey
Received on Friday, 15 April 2011 10:28:58 UTC