RE: PKI signing of certs with SAN URIs : NVSI : openid domain procedures

I think the formulation below is good.

One has to confirm webid validation using the process, as specified.

Anything else is "extra evidence". Its upto relying parties to care about it (and require it).

Since a true webid validation will just ignore a cert chain (because a CONFORMING implementation WILL NOT insist the client is self-signed), both worlds cooperate.

80% of the world can do webid. 20% can overlay PKI, probably for fancy transactions like talking to e-Gov IDPs, etc. They may even required national id cards. But it's an opt-in - by relying party.

Typically, RPs do as little as possible. So, create a world in which 80% of what they need to do happens fine, using webid.
.
-----Original Message-----

It all comes down to what you are trying to verify. Do you want to check the validity of the certificate or the validity of the WebID? 

For example: a certificate could be issued by a trusted CA, but it does not mean that it can contain a valid WebID URI in its subjectAltName, nor a valid foaf card dereferenced by the URI -- and a matching modulus/exponent pair in the card.

Received on Saturday, 30 April 2011 23:01:33 UTC