RE: qualified "reference" FYI from Peter Williams on 2011-02-08 (public-xg-webid@w3.org from February 2011)

From: Peter Williams <home_pw@msn.com>
Date: Tue, 8 Feb 2011 09:00:09 -0800
To: <henry.story@bblfish.net>
CC: "public-xg-webid@w3.org" <public-xg-webid@w3.org>
Message-ID: <SNT143-w6030B8AD2CAEACF9D230D992EA0@phx.gbl>

 There is a lot not  being said (becuase it forces issues into the the public space that some folks think be best "not" public - since they are generally intractable).

we are used to distinguishing between relying on a security services (such as the cert doing asymmetric key management security servicce) and using a security service. For example, one might use an expired cert to decrypt the message sent to you headed "bomb threat at 1pm". ONe cannot rely - a formal semantic - becuase its expired. Typically, such reliance is actually prohibited. Depending on the governance regime, use may also be prohibited.

The qualified cert concept is about regularizing this kind of issue, and the space of use semantics - of which use and reliance are only two. They define another: qualified [use/reliance]. the point is that its distinguished, with the qualifier "qualified X".

If one uses, cites, references, de-ferences a QCR - its a regulated act, subject to legal sanction if used outside the "german model" for example. The Austrailians seem to be the most zealous about this concepts of programme and its associated framework having tied it all up common law presumptions, much as Germans tied it up to the german law and legal tradition. What is good, relevant to  governance, is that is at least a ability for the "seccre reference" to tie into various legal regimes, of very different designs and cultures.

We cannot object to this. We have always said that a client cert CAN be third-party issued. So long as folks are not denied the self-signed cert by default (being articulated through EV forum, and its IETF-related PKIX vendors) I dont think there is any real change to the status quo. Qualified certs (and their references) just add to the fun.

> Subject: Re: qualified "reference" FYI
> From: henry.story@bblfish.net
> Date: Tue, 8 Feb 2011 17:47:47 +0100
> CC: public-xg-webid@w3.org
> To: home_pw@msn.com
> 
> 
> On 8 Feb 2011, at 17:34, Peter Williams wrote:
> 
> > http://www.nehta.gov.au/component/docman/doc_download/708-qualified-certificate-reference-v11-draft-2009-05-07
> 
> from the spec:
> 
> [[
> A QCR allows clients to obtain an X.509 certificate, which in
> turn will be used to secure messages, especially for Web services request and
> response.
> 
> [snip]
> 
> This document only covers identifying parties in NEHTA specifications that use
> the XML format to represent data. In particular, this includes data in NEHTA
> Web services specifications.
> ]]
> 
> The interesting thing is that they think of referring to PEM files, the weird thing is that they have a bunch of URLs for different protocol types it seems
> 
> http://ns.nehta.gov.au/Qcr/Ref/Http/1.0
> 
> is for certificate types which one can get using HTTP
> 
> http://www.healthcare.com.au/pki/clinic234.cer
> 
> and
> 
> http://ns.nehta.gov.au/Qcr/Ref/Ldap/1.0
> 
> is for certificates which one can get using ldap
> 
> ldap://ldap.healthcare.com.au:6666/cn=RP%20gp2%20org%20
> :2330726155,ou=
> RP%20gp2%20org,o=RP%20gp2%20org,l=TUGGERANONG,st=ACT,c=AU
> 
> This looks like over the top modelling to me, something that
> often happens - and in the semweb space too - to beginners.
> 
> Henry
> 
> 
> Social Web Architect
> http://bblfish.net/
>

Received on Tuesday, 8 February 2011 17:01:04 UTC