WebID-ISSUE-1: Multiple URI entries in the SAN extension

---------- Forwarded message ----------
From: Henry Story <henry.story@gmail.com>
Date: Tue, Aug 10, 2010 at 4:04 AM
Subject: Re: [foaf-protocols] Multiple URIs in SAN extension
To: Reto Bachmann-Gmür <me@farewellutopia.com>
Cc: foaf-protocols@lists.foaf-project.org

On 10 Aug 2010, at 09:11, Reto Bachmann-Gmür wrote:

> My latest draft, which I think you pulled mandates exactly one URI.
> I don't know about reasons or avantages of having multiple uris.

One can have multiple URIs in a SAN that is a fact of X.509. We don't know
what the advantages may be of having multiple. So unless we can prove that
it is illogical, we should not mandate having only one.

Furthermore I think there is a case to be made for having multiple URIs in a
SAN for failover.

The way to deal with it is furthermore very simple.

For every URI wid1, wid2, wid3, ... for which the WebID proof works it is
true that

  pkey cert:identity wid, wid2, wid3 ...

since cert:identity is (well it should be) an owl:functionalProperty, it
follows that

   wid = wid2 = wid3 = ...

This is useful for the RelyingAgent to know, as if at a later date one of
fails to be dereferenceable it can use the others.

Note that though this does give the user failover protection, it also
the number of ways he can be attacked.

But it is not that easy to create one X509 cert with many WebIDs in it, if
it is not somehow coordinated by the same service, so there is reason to
think that when it is used, it is used conscientiously.


Received on Monday, 31 January 2011 16:30:08 UTC