W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

Re: self-signed

From: Henry Story <henry.story@bblfish.net>
Date: Mon, 18 Apr 2011 22:28:31 +0200
Cc: "'Mo McRoberts'" <mo.mcroberts@bbc.co.uk>, <public-xg-webid@w3.org>
Message-Id: <9D9FB8D4-7433-44AF-A99C-40DA835028B7@bblfish.net>
To: peter williams <home_pw@msn.com>

On 18 Apr 2011, at 18:20, peter williams wrote:
> Now, is Hans original cert conforming  - or NOT? (the one generated with
> some critical extensions)
> Yes, say I. The conformance suite should be granting him access to the
> conformance test target.

yes, say I too. But being pragmatic I say we should make it easy for people to work with what exists now as much as possible.

> If folks accept this, then folks need to configure that Apace mode to ignore
> v3 criticality, for that installation to be in "conforming mode".

agree, it would be better for many reasons to do that, for one it will make debugging suites like the ones we are developing a lot more useful (since they will be able to explain what the problem with the cert is)  But we know that many people find it difficult to upgrade, so I suggest that people build certs and that we help people build ones that we know work widely.

> As it
> stands, the site that Hans accessed is in non-conforming mode (for webid
> purposes). Im guessing Joe indicated how to fiddle Apache config so it
> approximates webid conforming mode.
> What we do not do ... is require Hans to have 2 certs now. Certs in webid
> land are not fussy. He can use any he likes, without having a special burden
> due to webid. This is because non of the extensions have any significance
> (aside from the SAN URI) - because conforming systems will not even verify
> the cert signature, or reject a cert with a unknown/broken signature.

WebId is a bit like a ballon. We can start by only providing WebID, but we can also blow it up to work with CA signed certificates, or with certificates signed with other WebID certificates. There it will matter that X509 extensions are written out correctly. For example if the certificate that signed the WebID is a CA - not one of the famous CAs out there and shipped in browsers, but web of trust based CAs tied to WebIDs - that gives the certificate certain signing rights, then all the X509 infrastructure is still valid and available to use.


Social Web Architect
Received on Monday, 18 April 2011 20:29:03 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:44 UTC