W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

RE: self-signed

From: peter williams <home_pw@msn.com>
Date: Fri, 15 Apr 2011 03:28:29 -0700
Message-ID: <SNT143-ds3A10B35A20A71E6C8798F92AC0@phx.gbl>
CC: "'WebID XG'" <public-xg-webid@w3.org>
That's fine. But what are we saying in terms of standards?

Are we saying that
(a) one must have v3 certs
(b) one must have extensions x y x
(c) if one does meet (b), x must not do this or that?

I believe webid should be *required* to work with v1 certs, and v3 certs
with zero extensions. Any operating site can of course deviate from
compliance and up the requirements. But the conformance test and default
install test should assert the rules.

Im cannot believe Im about to say this, but, given the nature of webid
protocol, one could go further. A webid validator is required to ignore all
extensions, critical or not. (this is because the signature on the cert need
not validate).

A webid validator should be able to accept a cert whose signature does not
verify or whose algorithm is unrecognized. (are we willing to accept this?)

-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Joe Presbrey
Sent: Wednesday, April 13, 2011 5:54 PM
To: Joerg Anders
Cc: WebID XG
Subject: Re: self-signed

Attached is a working certificate for Hans' WebID.

FYI, I resigned without the critical extensions using the following

# decode
openssl pkcs12 -in HannesElmert.p12 -nodes > HannesElmert.pem # extract key
openssl rsa -in HannesElmert.pem > hans.key # setup extensions echo -e
> hans.ext
# resign
openssl x509 -signkey hans.key -in HannesElmert.pem -clrext -extfile
hans.ext > hans.cer # pack cat hans.key hans.cer > hans.pem # export openssl
pkcs12 -export -in hans.pem -nodes > hans.p12

Joe Presbrey
Received on Friday, 15 April 2011 10:28:58 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:44 UTC