Re: TLS-Light

On 12/1/11 8:18 AM, Henry Story wrote:
>
> On 1 Dec 2011, at 13:59, Peter Williams wrote:
>
>> Ive come to the conclusion that the current and likely all 
>> future versions of windows, natively, cannot be a platform for the 
>> webid validation protocol - as conceived. Any native implementation 
>> cannot be complete (and stay consistent with how windows natively is 
>> supposed to be used). Windows will support many of the cases, but not 
>> all. Per the threads title, the topic is indeed SSL (where I have 
>> lots of expertise), and certs (where I have probably have the most 
>> continuous years experience of anyone on the planet). Its a 
>> specialized area in which handshakes, crypto and certs combine, to 
>> enforce security policy in an trusted computing base. From what I can 
>> tell, few folks here have any knowhow in this topic area - which is 
>> quite normal - and its not driving the standard. Folks here are 
>> mostly app programmers, working outside the a distributed kernel - 
>> and are not too concerned with distributed operating system design.
>>
>> Windows and IIS 7 cannot naturally take a self-signed client cert on 
>> an ssl handshake and work with it. The cert must be rooted, somehow, 
>> beforehand. There are lots of ways to root it (including 
>> cross-certs), but rooted it must be. This is becuase windows is a 
>> B3-equivalent platform (see Orange book for what that means), and 
>> information is labelled (essentially) within the kernel (B1), with 
>> processes and threads being similarly compartmentalized as a result 
>> (B3). Doing professional crypto and information security, the kernel 
>> uses certs and keys and handshakes and decipherment to enforce the 
>> rules of a trusted computing based designed to impose and enforce 
>> label based integrity and access controls. These are the things that 
>> harden an OS, and protect one user from another in the assumed world 
>> of attacks on the TCB's own code. once crypto for communications 
>> enters a kernel, it hardends a network OS (or NOS). Today, the state 
>> of the art is NOS at the scale of a active directory federation 
>> ("enterprise class" windows). This means.. MAN scale, but not 
>> national or web scale.
>
> WebID  Certificates  don't absolutely have to be self signed. Those 
> generated by servers usually are not self-signed.
> Does Windows require the Certificate to be signed by a CA known to it, 
> or is it just a formal thing that the certificate needs to be signed?

You have to make a root cert. Then you register with the Windows 
keystore. Then you have to use that Cert. to sign WebID watermarked 
certs. This is what we had to go through last year when I made the IE 
and WebID demos.

The test is simple, try WebID modulo what I've outlined above via IE.

[SNIP]

>
>
>
>>
>>
>
> Social Web Architect
> http://bblfish.net/
>


-- 

Regards,

Kingsley Idehen	
Founder&  CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen