RE: self-signed from peter williams on 2011-04-18 (public-xg-webid@w3.org from April 2011)

From: peter williams <home_pw@msn.com>
Date: Mon, 18 Apr 2011 09:20:51 -0700
To: "'Mo McRoberts'" <mo.mcroberts@bbc.co.uk>, "'Henry Story'" <henry.story@bblfish.net>
CC: <public-xg-webid@w3.org>
Message-ID: <SNT143-ds20ECDBA2B84A34272689D792910@phx.gbl>

I think we are all agreed

The question is conformance, and the test suite that decides conformance.
What defines a cert as conforming is what we can address in the spec. We
cannot address the infinite number of variations imposed by relying party
policy. Personally, finding out what 10 research sites think is good policy
is irrelevant to me. It's just more web crud.

Now, is Hans original cert conforming  - or NOT? (the one generated with
some critical extensions)

Yes, say I. The conformance suite should be granting him access to the
conformance test target.

If folks accept this, then folks need to configure that Apace mode to ignore
v3 criticality, for that installation to be in "conforming mode". As it
stands, the site that Hans accessed is in non-conforming mode (for webid
purposes). Im guessing Joe indicated how to fiddle Apache config so it
approximates webid conforming mode.

What we do not do ... is require Hans to have 2 certs now. Certs in webid
land are not fussy. He can use any he likes, without having a special burden
due to webid. This is because non of the extensions have any significance
(aside from the SAN URI) - because conforming systems will not even verify
the cert signature, or reject a cert with a unknown/broken signature.

-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Mo McRoberts
Sent: Monday, April 18, 2011 2:36 AM
To: Henry Story
Cc: peter williams; public-xg-webid@w3.org
Subject: Re: self-signed

On 18 Apr 2011, at 10:27, Henry Story wrote:

> It is true that we need to think more carefully about the relation between
the claims made in the certificate and the authentication.

[snip for brevity]
> 
> So in short a CA based statement is one anchor in the web of trust. The
WebID based one another. Combining them increases trust. Even for self
signed certificates.

Excellent summary, Henry - I'm with you on pretty much every point.

As an adjunct: I'm envisaging systems built on/leveraging WebID which may
well take advantage of other facets of X509 which WebID itself doesn't
necessarily care about - so I'm reticent to "throw the baby out with the
bathwater", as it were.

M.

--
Mo McRoberts - Data Analyst - Digital Public Space, Zone 1.08, BBC Scotland,
40 Pacific Quay, Glasgow G51 1DA, Room 7066, BBC Television Centre, London
W12 7RJ,
0141 422 6036 (Internal: 01-26036) - PGP key 0x663E2B4A

http://www.bbc.co.uk/
This e-mail (and any attachments) is confidential and may contain personal
views which are not the views of the BBC unless specifically stated.
If you have received it in error, please delete it from your system.
Do not use, copy or disclose the information in any way nor act in reliance
on it and notify the sender immediately.
Please note that the BBC monitors e-mails sent or received.
Further communication will signify your consent to this.

Received on Monday, 18 April 2011 16:21:20 UTC