Re: PKI signing of certs with SAN URIs : NVSI : openid domain procedures from Andrei Sambra on 2011-04-30 (public-xg-webid@w3.org from April 2011)

From: Andrei Sambra <andrei@fcns.eu>
Date: Sat, 30 Apr 2011 22:31:11 +0200
To: Melvin Carvalho <melvincarvalho@gmail.com>
Cc: WebID Incubator Group WG <public-xg-webid@w3.org>
Message-ID: <1304195471.3911.23.camel@mayu>

If I understand the first question, it should suffice for the CA to
extract the WebID and then dereference the foaf card indicated by the
URI. It's pretty much the same steps involved in performing WebID
authentication.

For the second question, I don't why we couldn't. However, I wonder why
we should do it. The question is, what are you looking to do? Trust a
certificate (it's owner), or trust the people using it (the owner of the
FOAF card)?

If you are referring to something similar to the PGP, then there is an
article on one of the wiki pages which describes why WebID makes it
easier to implement a web of trust, without signing anything. If you are
referring to the general case, as a way to improve trust, then I still
don't see why signing anything would improve trust. 

Now, let me rant for a little, since I've seen lots of emails on this
list discussing CAs and general issues related to PKI, and I also fear
some of the mailing list members still don't understand WebID.

Quick recap: WebID offers first and foremost a way to authenticate
users. This is done using self-signed certificates (as far as CAs/PKI
systems are concerned) which contain a reference to the certificate
owner's public foaf card. This card serves as the user's "identity", and
contains one or more public keys belonging to one or more x509
certificates, which in turn serve to verify that browser certificate
which was used to point to this foaf card does indeed belong to the
card's identity.

As you can see, the browser certificate is only useful to establish that
a user connecting to a service is indeed the owner of the foaf card
which contains his/her identity. Whatever trust relationships we intend
to form, do not involve the certificates! This is where the linked data
comes into play, and for example, we could simply use foaf:knows to
create a web of trust. 

I hope I've made myself clear. Oh, please do not consider this post as
personal attack to someone, or my way to start a flame war. 

Andrei

On Sat, 2011-04-30 at 21:49 +0200, Melvin Carvalho wrote:
> A couple of questions:
> 
> Is it possible for a trusted CA to assert that a certificate is tied to a WebID?
> 
> Can we become notaries or CAs ourselves and sign each others certs?
> 
> >
> >
> >
> >
>

Received on Saturday, 30 April 2011 20:31:48 UTC