certs for signed assertions. doing webid from peter williams on 2011-03-30 (public-xg-webid@w3.org from March 2011)

From: peter williams <home_pw@msn.com>
Date: Wed, 30 Mar 2011 10:56:48 -0700
To: <public-xg-webid@w3.org>
Message-ID: <SNT143-ds44F8E36012F08879E6B8C92BC0@phx.gbl>

As a sideeffect of implementing a demo of the webid process outlined in the
spec, out fell another use case: the code that "validates a https client
cert" can also validate the cert attached to an incoming signed assertion
issued by ActiveDirectory Federation Service (or any other similar IDP).

 

Is this webid, though?

 

The code I wrote doesn't know or care (given the way the spec is written)
whether the cert under inspection is an SSL client cert or an cert
supporting an Signed assertion posted to a website, due to a IDP/SP
ping/pong protocol run. Given a cert DER blob, it just calls uriburner to do
remote sparql,  testing for a the cert's pubkey in the foaf card identified
using the SAN field.

 

If this is webid, we should make sure it's clear to implementers that using
webid to validate a signed assertion's (self-signed) cert is an entirely
legitimate use case.

Received on Wednesday, 30 March 2011 17:57:35 UTC