W3C home > Mailing lists > Public > public-xg-webid@w3.org > April 2011

RE: PKI signing of certs with SAN URIs : NVSI : openid domain procedures

From: peter williams <home_pw@msn.com>
Date: Sat, 30 Apr 2011 15:57:16 -0700
Message-ID: <SNT143-ds1931FA99F9BA4ADE59A84F929D0@phx.gbl>
To: "'Melvin Carvalho'" <melvincarvalho@gmail.com>, "'Andrei Sambra'" <andrei@fcns.eu>
CC: "'WebID Incubator Group WG'" <public-xg-webid@w3.org>

If one super-imposes the cert-chain trust model, over and above webid
validation, I believe one MUST do both processes. Its an OPT-IN to PKI (that
is NOT mandatory to even implement, nor even a SHOULD implement).

One simply does TWO tests, at the relying party. The value of the second is
suspect. But, there are those who want it. I don't see why we should not
deliver it. I would not let it hijack "native webid" though.

Remember my suggestion. IN access control, one asks for the "strength" of
evidence of the id claim. An auth logic can allows the guard to say: and it
must ALSO have evidence from a CA, on the following list. If the claim is
merely native webid, sorry, you are a member of "webid group" - not a member
of the group you claim.

Here, we are Separating authz from authn, allowing the STRENGTH of evidence
of authn to influence authz's enforcement.

Comes down to whether you want a legacy/multi-protocol world to exist (for
adoption now), or you want to do research into an ideal web world (for
consumption in 3-5 years time).

I think the group is split, between those trying for adoption NOW, and those
who are researching for n years in the future.

Since major id events are ongoing THIS month or two, Im not sure the
opportunity window will extend to 3 years from now. That's my worry. We can
argue lead-free gas is better than the gas we all remember used to get
50mpg. But, its requires one hell of an infrasructure power (eg the state of
CA) to enforce that kind of change, once the infrastructure is set in its

-----Original Message-----
From: public-xg-webid-request@w3.org [mailto:public-xg-webid-request@w3.org]
On Behalf Of Melvin Carvalho
Sent: Saturday, April 30, 2011 1:55 PM
To: Andrei Sambra
Cc: WebID Incubator Group WG
Subject: Re: PKI signing of certs with SAN URIs : NVSI : openid domain

On 30 April 2011 22:31, Andrei Sambra <andrei@fcns.eu> wrote:
> If I understand the first question, it should suffice for the CA to 
> extract the WebID and then dereference the foaf card indicated by the 
> URI. It's pretty much the same steps involved in performing WebID 
> authentication.
> For the second question, I don't why we couldn't. However, I wonder 
> why we should do it. The question is, what are you looking to do? 
> Trust a certificate (it's owner), or trust the people using it (the 
> owner of the FOAF card)?
> If you are referring to something similar to the PGP, then there is an 
> article on one of the wiki pages which describes why WebID makes it 
> easier to implement a web of trust, without signing anything. If you 
> are referring to the general case, as a way to improve trust, then I 
> still don't see why signing anything would improve trust.
> Now, let me rant for a little, since I've seen lots of emails on this 
> list discussing CAs and general issues related to PKI, and I also fear 
> some of the mailing list members still don't understand WebID.
> Quick recap: WebID offers first and foremost a way to authenticate 
> users. This is done using self-signed certificates (as far as CAs/PKI 
> systems are concerned) which contain a reference to the certificate 
> owner's public foaf card. This card serves as the user's "identity", 
> and contains one or more public keys belonging to one or more x509 
> certificates, which in turn serve to verify that browser certificate 
> which was used to point to this foaf card does indeed belong to the 
> card's identity.
> As you can see, the browser certificate is only useful to establish 
> that a user connecting to a service is indeed the owner of the foaf 
> card which contains his/her identity. Whatever trust relationships we 
> intend to form, do not involve the certificates! This is where the 
> linked data comes into play, and for example, we could simply use 
> foaf:knows to create a web of trust.
> I hope I've made myself clear. Oh, please do not consider this post as 
> personal attack to someone, or my way to start a flame war.

I guess my question is asking:  As a verifying agent, do you even need to
check the FOAF card if you already trust the CA?  Of course you can do both.

> Andrei
> On Sat, 2011-04-30 at 21:49 +0200, Melvin Carvalho wrote:
>> A couple of questions:
>> Is it possible for a trusted CA to assert that a certificate is tied to a
>> Can we become notaries or CAs ourselves and sign each others certs?
>> >
>> >
>> >
>> >
Received on Saturday, 30 April 2011 22:57:43 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:44 UTC