W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

Re: PKI signing of certs with SAN URIs : NVSI : openid domain procedures

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sat, 30 Apr 2011 22:54:47 +0200
Message-ID: <BANLkTikbZiXq2n24U_SjhE4QcpC3BZBYUg@mail.gmail.com>
To: Andrei Sambra <andrei@fcns.eu>
Cc: WebID Incubator Group WG <public-xg-webid@w3.org>
On 30 April 2011 22:31, Andrei Sambra <andrei@fcns.eu> wrote:
> If I understand the first question, it should suffice for the CA to
> extract the WebID and then dereference the foaf card indicated by the
> URI. It's pretty much the same steps involved in performing WebID
> authentication.
> For the second question, I don't why we couldn't. However, I wonder why
> we should do it. The question is, what are you looking to do? Trust a
> certificate (it's owner), or trust the people using it (the owner of the
> FOAF card)?
> If you are referring to something similar to the PGP, then there is an
> article on one of the wiki pages which describes why WebID makes it
> easier to implement a web of trust, without signing anything. If you are
> referring to the general case, as a way to improve trust, then I still
> don't see why signing anything would improve trust.
> Now, let me rant for a little, since I've seen lots of emails on this
> list discussing CAs and general issues related to PKI, and I also fear
> some of the mailing list members still don't understand WebID.
> Quick recap: WebID offers first and foremost a way to authenticate
> users. This is done using self-signed certificates (as far as CAs/PKI
> systems are concerned) which contain a reference to the certificate
> owner's public foaf card. This card serves as the user's "identity", and
> contains one or more public keys belonging to one or more x509
> certificates, which in turn serve to verify that browser certificate
> which was used to point to this foaf card does indeed belong to the
> card's identity.
> As you can see, the browser certificate is only useful to establish that
> a user connecting to a service is indeed the owner of the foaf card
> which contains his/her identity. Whatever trust relationships we intend
> to form, do not involve the certificates! This is where the linked data
> comes into play, and for example, we could simply use foaf:knows to
> create a web of trust.
> I hope I've made myself clear. Oh, please do not consider this post as
> personal attack to someone, or my way to start a flame war.

I guess my question is asking:  As a verifying agent, do you even need
to check the FOAF card if you already trust the CA?  Of course you can
do both.

> Andrei
> On Sat, 2011-04-30 at 21:49 +0200, Melvin Carvalho wrote:
>> A couple of questions:
>> Is it possible for a trusted CA to assert that a certificate is tied to a WebID?
>> Can we become notaries or CAs ourselves and sign each others certs?
>> >
>> >
>> >
>> >
Received on Saturday, 30 April 2011 20:55:15 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:44 UTC