W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

Re: self-signed

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Mon, 18 Apr 2011 16:52:08 -0400
Message-ID: <4DACA478.4070004@openlinksw.com>
To: public-xg-webid@w3.org
On 4/18/11 4:10 PM, Henry Story wrote:
> On 18 Apr 2011, at 17:42, Kingsley Idehen wrote:
>> On 4/18/11 10:50 AM, Henry Story wrote:
>>> On 18 Apr 2011, at 16:25, Kingsley Idehen wrote:
>>>> Note: there is a mailto: scheme URI attribute=value pair associated with 'Subject':
>>>> Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala,
>>>>                 OU=FreeSoft, CN=www.freesoft.org/emailAddress=baccala@freesoft.org
>>> That is indeed an option.
>>>> If that's all there is in a Certificate, bearing in mind this is the very cheapest Certificate to produce in the real world.
>>> I am not sure there is a price difference between a self signed v3 cert and a v1 certificate. If you can make one you can make the other.
>> Who is "You" ?
>> The issue boils down to HTTP scheme URI and SAN entry.
>> Cost, to be clearer (on my part) also included fact that when something exists out in the wild the cost of production == $0.00 :-) Thus, I really meant: there are lots of certs like this already in the wild that don't use HTTP scheme URIs and nothing in SAN. This is really where Webfinger, Fingerpoint come into their own re. WebID vector potential.
> A good idea, but let's speak numbers.
> How many certs with e-mail addresess as you published are there really?
> Of those how many are client certs? How many of those have mailto uris that are backed by webfinger?

Please re-read the sentences above.

This has nothing to do with Webfinger bar the fact that it solves the 
bigger issue of making a "mailto:" scheme URI a de-referencable URI. 
That's it.

This isn't about WebID vs Webfinger or anything like that. The issue 
boils down to this, and I don't need to go on a stats adventure with you 
re. this matter: there are may Certs generated without any SAN entries. 
The existing ecosystem for X.509 cert generation doesn't have SANs. 
Google and friends already have email addresses as resolvable URIs 
courtesy of Webfinger.

WebID can simply play along with this reality.

I'll get you stats if you can prove to me that GMAIL numbers are 
inconsequential :-)

> How many of those 'backed' by a link to a document that publishes a public key?

Sorry, it really isn't as important as you're trying to make out. Here 
is a much more pragmatic question (IMHO): how easy would it be to 
associate these mailto: scheme URIs with profile oriented Linked Data 
graphs bearing public keys. That's the reality out there.

> I think we are speaking of close to 0 above.

Sorry, but you are jumping to conclusions that are very easy to 
disprove. That said, you are sorta missing my point. Grasp my points and 
you really won't veer down this cul-de-sac :-)

>   Those that would wish to do any of the above would certainly find it not difficult at all to add a SAN field to the new certificates. And if we should at some point find a real measurable advantage to using these other methods, we can certainly leave that open.
> But doing that now, seems pre-mature.

No comment. Digest my earlier comments.
>>>> Ditto most prevalent i.e., no SAN, why shouldn't WebID be capable of doing this?
>>> It would be able to do this. It's a question of trying to keep things simple.
>> But when you say that its akin to someone saying: although I talk about Semantics, I oriented towards Syntax for sake of simplicity. We can't keep on using "simple" in very subjective way.
>> As you know, I don't think WebID is about "Simply Simple" its is about "Deceptively Simple", that's inherited from its AWWW DNA courtesy of Linked Data.
> I mean let's implement the tests for what we have got, and then evolve.

I am not asking you to do otherwise. I am saying get the tests right 
from the onset. Test the right thing i.e, WebID conformance without 
unnecessary specificity. Nothing stops anyone making what they 
subjective perceive to be pragmatic decisions in whatever they code. I 
am trying to encourage practice whereby those decisions are crystal 
clear rather than letting subjectivity taint the broader concept via bad 
conformance and interop test results.

> Until I see everyone interacting at the level we have defined now, I won't call anything above that simple.

"Simple" means different things to us, clearly. Nothing to me is 
"Simple" the trick is to create the illusion of "Simplicity" en route to 

Being a cognitive being ensures we are incapable of making anything that 
is truly just "simple", where longevity and broad adoption are essential 
characteristics. In my world view, things simply start off being 
"simple" as prerequisite for initial attention acquisition. In my 
quarters we refer to the aforementioned as being about: minimizing the 
"activation threshold" :-)

>>> The advantage of SAN is that they are clearly defined for the purpose we are using them for, and you can put e-mail addresses in there too.
>> I understand that, but the real world already have Certs. constructed in the manner outlined. I really believe minimizing inertia is the key to boostrap. When I architect products at OpenLink I always oriented to "minimal inertia". To the uninitiated this appears to be a bizarre preoccupation with protocol implementation, but that's far from it. It about the pragmatics of real technology bootstrap by dealing with the realities out in the wild.
>> We don't need to tell people what's best for them if we can show them how a new technology makes what they already have better, with minimal (if any) inertia associated infrastructure changes etc..
>>>   I am not sure of the issues that come up with the above scheme, how standards based they are, etc... It is good to have it as an option if we need it. But I don't see that the arguments for it are very strong yet.
>>>> It just boils down to being scheme agnostic
>>> You're not being scheme agnostic with mailto uris it seems to me.
>> Of course I am, the IdP is going to determine the canonical WebID and then de-reference it. You can de-reference a "mailto:" scheme URI using HTTP as exemplified by Webfinger and Fingerpoint.
> I am talking about the wikipedia example that contained
>   Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala,
>                 OU=FreeSoft, CN=www.freesoft.org/emailAddress=baccala@freesoft.org
> the emailAddress is not schema agnostic I believe.
>>>   And it seems that sending e-mail uris around the web is not such a good idea as far as spam is concerned.
>> If WebID can't alleviate the scourge of SPAM, what on earth is its ultimate purpose?
> It will very likely by removing the need for e-mail altogther. E-mail is problematic in itself also because it is easy to run MITM attacks on it.
>>> SANs and IANs are scheme agnostic on the other hand.
>> So what? No the point when dealing with inertia reduction based on working with what exists already (however imperfect it might be).
> You have not proven any inertia gain from using emailAddress= in the DN field.
>> You are making the same old mistake that most programmers have made repeatedly over time i.e., technology implementer (the coder, typically) knows best. Sadly, that isn't true. Users are typically domain and subject matter experts that are time challenged and don't write code. Being the one that writes the code != best comprehend-er of the discourse domain or the subject matter intrinsic to the domain.
> We have all got reasonably interoperable code working in many languages with SANs. When we have this well documented and find things we can't do this way, then we can move on to work on other things.
>>>> and letting the IdP deal with the de-reference functionality. Remember, Linked Data is just a Webby way of handling de-reference and address-of operators that lies at the root of all forms of data access by reference.
>>> Social Web Architect
>>> http://bblfish.net/
>> -- 
>> Regards,
>> Kingsley Idehen	
>> President&   CEO
>> OpenLink Software
>> Web: http://www.openlinksw.com
>> Weblog: http://www.openlinksw.com/blog/~kidehen
>> Twitter/Identi.ca: kidehen
> Social Web Architect
> http://bblfish.net/



Kingsley Idehen	
President&  CEO
OpenLink Software
Web: http://www.openlinksw.com
Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca: kidehen
Received on Monday, 18 April 2011 20:52:32 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:44 UTC