- From: Peter Williams <home_pw@msn.com>
- Date: Sat, 31 Dec 2011 10:14:38 -0800
- To: <kidehen@openlinksw.com>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>
Identifier equivalence has been asserted in a signed claim via the use of multiple URIs in a Certs. SAN. The effect here is that we have synonyms so the public key associated with URI-B is now also a relation with URI-A. The fact that we can't make a union of all the data the one could de-reference via URI-A and URI-B doesn't matter re. this kind of equivalence and the resulting assurance. ------- ok. we are now starting to sound like professional security engineers working in an established language game (not web heads, or academics making new language games for research purposes). we will (next month) need to go further than equivalencies, evalulated during validation at the time of _original_ assertion . what we learned over 20 years of doing CA and PKI was the importance of validation, vs assertion. The reason authenticode works at huge scale, and over decade time, is becuase they used a 2-timeframe validation model. The signed acknowlegement (by a validator) when ACCOMPANYING an assertion is what matters. When a webid validation agents says "yes", this is the (semantic) signature that matters, not just the one made by the subscriber. thats getting abtract, so here is the example: you get a cert. you sign an .exe. As author and original publisher, you have an initial validator verify the signature on the .exe, and the cert, and the CA MUST confirm (by new signature) that the cert is valid binding to the author/publishe, AT THE TIME of original publicction. Said timestamp of original-validty (back then) is attached to the .exe, along with the original signature and original cert. Now the code validator 10 years later, can leverage with the first validator did, 10 years earlier, to RE-assert the validity of the .exe (still working and being test 10 years hence, long after the cert has become invalid due to temporal expiry).
Received on Saturday, 31 December 2011 18:15:12 UTC