Re: WebID-ISSUE_22: Key Pair Revocation / WebID reset [WebID Spec]

On 1 Feb 2011, at 20:27, Peter Williams wrote:

> This is a scoping issue - as certs are (formally) out of scope of SSL, in TLS spec terms and the underlying (SSL only) patent controlled by IESG. What is normally termed "key management" or "certificate lifecycle management" is distinct from enabling the now-keyed entities to establish secure channels (https) or secure flows (webid protocol , or https' as I want to keep calling it).

So the interesting thing is that TLS does come with a mechanism for certificate revocation, namely what is known as Certificate Revocation Lists (CRLs) http://en.wikipedia.org/wiki/Certificate_revocation_list
or more precisely http://tools.ietf.org/html/rfc5280

These seem to be very little used, due to issues of overloading the CAs with potentially huge numbers of requests from every browser in the world...

With WebID the protocol could be seen as including CRLs in the protocol:  dereference the WebID and you have checked if the cert is still valid or not. As there is no reason to centralise all the WebIDs on one large profile server, there is a lot less danger of unintentional denial of service attacks.

>  Here we need to focus on the profile doc, not the cert.

yes, and that is what we have been doing .

> [snip some of Peter's talk, which went of in a different direction which
>  had little to do with certificate revocation. I'll post my response in a new thread]

Received on Tuesday, 1 February 2011 21:53:51 UTC