RE: self-signed from peter williams on 2011-04-18 (public-xg-webid@w3.org from April 2011)

From: peter williams <home_pw@msn.com>
Date: Mon, 18 Apr 2011 08:24:22 -0700
To: "'Henry Story'" <henry.story@bblfish.net>, "'Kingsley Idehen'" <kidehen@openlinksw.com>
CC: <public-xg-webid@w3.org>
Message-ID: <SNT143-ds1969344C56B8E04F25707E92910@phx.gbl>

There is a complexity difference to consumers. With v3 certs, the programmer
type want to go beyond just naming.

I advise making v1 certs mandatory for support - to force the issue that
extensions are meaningless to webid. Is only to value-added functions beyond
webid that they are then valuable, since the value-add has means to verify
the integrity and authenticity of the cert (using its signature), and can
enforce the criticalities, and the extension controls.

This is a forcing function. A pure conforming webid system ignores critical
extensions, per the Hans example.

It promotes maximum interoperability, without hurting those who want to add
assurance  BEYOND conformance, using CAs and extensions for professional key
management in large communities. 

-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Henry Story
Sent: Monday, April 18, 2011 7:50 AM
To: Kingsley Idehen
Cc: public-xg-webid@w3.org
Subject: Re: self-signed

On 18 Apr 2011, at 16:25, Kingsley Idehen wrote:

> Note: there is a mailto: scheme URI attribute=value pair associated with
'Subject':
> 
> Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala,
>                OU=FreeSoft,
CN=www.freesoft.org/emailAddress=baccala@freesoft.org

That is indeed an option.

> If that's all there is in a Certificate, bearing in mind this is the very
cheapest Certificate to produce in the real world.

I am not sure there is a price difference between a self signed v3 cert and
a v1 certificate. If you can make one you can make the other.

> Ditto most prevalent i.e., no SAN, why shouldn't WebID be capable of doing
this?

It would be able to do this. It's a question of trying to keep things
simple. The advantage of SAN is that they are clearly defined for the
purpose we are using them for, and you can put e-mail addresses in there
too. I am not sure of the issues that come up with the above scheme, how
standards based they are, etc... It is good to have it as an option if we
need it. But I don't see that the arguments for it are very strong yet.

> It just boils down to being scheme agnostic

You're not being scheme agnostic with mailto uris it seems to me. And it
seems that sending e-mail uris around the web is not such a good idea as far
as spam is concerned. SANs and IANs are scheme agnostic on the other hand.

> and letting the IdP deal with the de-reference functionality. Remember,
Linked Data is just a Webby way of handling de-reference and address-of
operators that lies at the root of all forms of data access by reference.

Social Web Architect
http://bblfish.net/

Received on Monday, 18 April 2011 15:24:52 UTC