- From: Andrei Sambra <andrei@fcns.eu>
- Date: Sat, 30 Apr 2011 22:59:03 +0200
- To: Melvin Carvalho <melvincarvalho@gmail.com>
- Cc: WebID Incubator Group WG <public-xg-webid@w3.org>
On Sat, 2011-04-30 at 22:54 +0200, Melvin Carvalho wrote: > On 30 April 2011 22:31, Andrei Sambra <andrei@fcns.eu> wrote: > > If I understand the first question, it should suffice for the CA to > > extract the WebID and then dereference the foaf card indicated by the > > URI. It's pretty much the same steps involved in performing WebID > > authentication. > > > > For the second question, I don't why we couldn't. However, I wonder why > > we should do it. The question is, what are you looking to do? Trust a > > certificate (it's owner), or trust the people using it (the owner of the > > FOAF card)? > > > > If you are referring to something similar to the PGP, then there is an > > article on one of the wiki pages which describes why WebID makes it > > easier to implement a web of trust, without signing anything. If you are > > referring to the general case, as a way to improve trust, then I still > > don't see why signing anything would improve trust. > > > > Now, let me rant for a little, since I've seen lots of emails on this > > list discussing CAs and general issues related to PKI, and I also fear > > some of the mailing list members still don't understand WebID. > > > > Quick recap: WebID offers first and foremost a way to authenticate > > users. This is done using self-signed certificates (as far as CAs/PKI > > systems are concerned) which contain a reference to the certificate > > owner's public foaf card. This card serves as the user's "identity", and > > contains one or more public keys belonging to one or more x509 > > certificates, which in turn serve to verify that browser certificate > > which was used to point to this foaf card does indeed belong to the > > card's identity. > > > > As you can see, the browser certificate is only useful to establish that > > a user connecting to a service is indeed the owner of the foaf card > > which contains his/her identity. Whatever trust relationships we intend > > to form, do not involve the certificates! This is where the linked data > > comes into play, and for example, we could simply use foaf:knows to > > create a web of trust. > > > > I hope I've made myself clear. Oh, please do not consider this post as > > personal attack to someone, or my way to start a flame war. > > I guess my question is asking: As a verifying agent, do you even need > to check the FOAF card if you already trust the CA? Of course you can > do both. > It all comes down to what you are trying to verify. Do you want to check the validity of the certificate or the validity of the WebID? For example: a certificate could be issued by a trusted CA, but it does not mean that it can contain a valid WebID URI in its subjectAltName, nor a valid foaf card dereferenced by the URI -- and a matching modulus/exponent pair in the card. > > > > Andrei > > > > On Sat, 2011-04-30 at 21:49 +0200, Melvin Carvalho wrote: > >> A couple of questions: > >> > >> Is it possible for a trusted CA to assert that a certificate is tied to a WebID? > >> > >> Can we become notaries or CAs ourselves and sign each others certs? > >> > >> > > >> > > >> > > >> > > >> > > > > > >
Received on Saturday, 30 April 2011 20:59:36 UTC