- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Sat, 30 Apr 2011 22:54:47 +0200
- To: Andrei Sambra <andrei@fcns.eu>
- Cc: WebID Incubator Group WG <public-xg-webid@w3.org>
On 30 April 2011 22:31, Andrei Sambra <andrei@fcns.eu> wrote: > If I understand the first question, it should suffice for the CA to > extract the WebID and then dereference the foaf card indicated by the > URI. It's pretty much the same steps involved in performing WebID > authentication. > > For the second question, I don't why we couldn't. However, I wonder why > we should do it. The question is, what are you looking to do? Trust a > certificate (it's owner), or trust the people using it (the owner of the > FOAF card)? > > If you are referring to something similar to the PGP, then there is an > article on one of the wiki pages which describes why WebID makes it > easier to implement a web of trust, without signing anything. If you are > referring to the general case, as a way to improve trust, then I still > don't see why signing anything would improve trust. > > Now, let me rant for a little, since I've seen lots of emails on this > list discussing CAs and general issues related to PKI, and I also fear > some of the mailing list members still don't understand WebID. > > Quick recap: WebID offers first and foremost a way to authenticate > users. This is done using self-signed certificates (as far as CAs/PKI > systems are concerned) which contain a reference to the certificate > owner's public foaf card. This card serves as the user's "identity", and > contains one or more public keys belonging to one or more x509 > certificates, which in turn serve to verify that browser certificate > which was used to point to this foaf card does indeed belong to the > card's identity. > > As you can see, the browser certificate is only useful to establish that > a user connecting to a service is indeed the owner of the foaf card > which contains his/her identity. Whatever trust relationships we intend > to form, do not involve the certificates! This is where the linked data > comes into play, and for example, we could simply use foaf:knows to > create a web of trust. > > I hope I've made myself clear. Oh, please do not consider this post as > personal attack to someone, or my way to start a flame war. I guess my question is asking: As a verifying agent, do you even need to check the FOAF card if you already trust the CA? Of course you can do both. > > Andrei > > On Sat, 2011-04-30 at 21:49 +0200, Melvin Carvalho wrote: >> A couple of questions: >> >> Is it possible for a trusted CA to assert that a certificate is tied to a WebID? >> >> Can we become notaries or CAs ourselves and sign each others certs? >> >> > >> > >> > >> > >> > > >
Received on Saturday, 30 April 2011 20:55:15 UTC