- From: peter williams <home_pw@msn.com>
- Date: Wed, 30 Mar 2011 10:56:48 -0700
- To: <public-xg-webid@w3.org>
Received on Wednesday, 30 March 2011 17:57:35 UTC
As a sideeffect of implementing a demo of the webid process outlined in the spec, out fell another use case: the code that "validates a https client cert" can also validate the cert attached to an incoming signed assertion issued by ActiveDirectory Federation Service (or any other similar IDP). Is this webid, though? The code I wrote doesn't know or care (given the way the spec is written) whether the cert under inspection is an SSL client cert or an cert supporting an Signed assertion posted to a website, due to a IDP/SP ping/pong protocol run. Given a cert DER blob, it just calls uriburner to do remote sparql, testing for a the cert's pubkey in the foaf card identified using the SAN field. If this is webid, we should make sure it's clear to implementers that using webid to validate a signed assertion's (self-signed) cert is an entirely legitimate use case.
Received on Wednesday, 30 March 2011 17:57:35 UTC