- From: Stéphane Corlosquet <scorlosquet@gmail.com>
- Date: Mon, 28 Nov 2011 21:05:06 -0500
- To: Peter Williams <home_pw@msn.com>
- Cc: andrei@fcns.eu, "public-xg-webid@w3.org" <public-xg-webid@w3.org>
- Message-ID: <CAGR+nnFPzJQFZNBGKhS--nD-4f=TXe6sQV7uvvP=6zH2LVRm3w@mail.gmail.com>
Hi Peter, On Mon, Nov 28, 2011 at 8:39 PM, Peter Williams <home_pw@msn.com> wrote: > > > I vote we impose a limit of one, but that the text says... a future > version of the standard will very likely reconsider this limit, as user > experience is gained. > I'm assuming you are talking about public keys of a given WebID profile? That won't for multi browser support, unless you either manage to generate certificates with the same pubkey in all your browsers, or you use a separate WebID profile for each browser. > > > Similarly, I vote that the hexbinary format of the modulus in a webid > profile should be required to be only lower-case hex digits (rather than > free form). > > > I'm tempted to suggests that only 1 URI be permitted in the cert too, with > similar language about the strong likelihood of this changing as > anticipated needs actually materialize. > Have you considered the reasons for allowing multiple SANs? [1] (there are more) What's your reasoning for limiting it to one? I recall you had some limitation from your library? Surely that is not the only reason I hope. Steph. [1] http://www.w3.org/2005/Incubator/webid/track/issues/1 > > > > ________________________________ > > Date: Tue, 29 Nov 2011 00:18:23 +0100 > > From: andrei@fcns.eu > > To: public-xg-webid@w3.org > > Subject: Re: Updated IdP to new spec. > > > > Hi Kingsley, > > > > Yeah, it looks like I forgot to limit the test for the number of public > > keys a foaf profile can have. Maybe we can have a formal discussion on > > this subject. > > > > What would be a "best practice" in this case? > > > > How many keys can we have in a single profile, so that it will not look > > like a DoS attack? > > > > Andrei > > > > > > On 11/28/11 22:01, Kingsley Idehen wrote: > > Andrei, > > > > Output from testing a latest WebID from our generator [1][2] against > > your verifier. I notice you scan all six of the public key relations in > > my graph. What happens it there were more? Wouldn't your system > > timeout? Luckily I cleaned out the 30+ relations I had prior to this > > test. What about performing an explicit lookup? > > > > > > * Checking ownership of certificate (public key matches private > > key)... PASSED (Reason: GENEROUS) > > > > * Checking if certificate contains URIs in the subjectAltName field... > PASSED > > > > * Found 1 URIs in the certificate (a maximum of 3 will be tested). > > > > * Checking URI > > 1 (http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this)... > > - Trying to fetch and process certificate(s) from webid profile... > > Testing if the modulus representation matches the one in the > > webid (found a modulus value)... > > > > Testing modulus... - FAILED > > WebID=f4990925e526be2.......a5c172d91fafa01 > > Cert =994d0067dd21021.......ca1e663983345d3 > > > > Testing if the modulus representation matches the one in the > > webid (found a modulus value)... > > > > Testing modulus... - FAILED > > WebID=c9cbdde371ea987.......c3d4e28dfe27423 > > Cert =994d0067dd21021.......ca1e663983345d3 > > > > Testing if the modulus representation matches the one in the > > webid (found a modulus value)... > > > > Testing modulus... - FAILED > > WebID=d633f04252a9b3f.......e719cb59227d8a7 > > Cert =994d0067dd21021.......ca1e663983345d3 > > > > Testing if the modulus representation matches the one in the > > webid (found a modulus value)... > > > > Testing modulus... - FAILED > > WebID=db0aec1b33f4909.......8ea627df06f60b3 > > Cert =994d0067dd21021.......ca1e663983345d3 > > > > Testing if the modulus representation matches the one in the > > webid (found a modulus value)... > > > > Testing modulus... - FAILED > > WebID=cd3ff1569dc66df.......e3ab848cfccd1e7 > > Cert =994d0067dd21021.......ca1e663983345d3 > > > > Testing if the modulus representation matches the one in the > > webid (found a modulus value)... > > > > Testing modulus... PASSED > > WebID=994d0067dd21021.......ca1e663983345d3 > > Cert =994d0067dd21021.......ca1e663983345d3 > > > > Match found, ignoring futher tests! > > > > * Authentication successful! > > > > > > > > > > Your certificate contains the following WebIDs: > > > > * http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this > > > > The WebID URI used to claim your identity is: > > > > * http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this > > (your claim was SUCCESSFUL!) > > > > The WebID URL suffix (to be signed) for your service provider is: > > > > * > > ?webid= > http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this&ts=2011-11-28UTC20:53:50+00:00 > < > http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this%26ts%3d2011-11-28UTC20%3a53%3a50+00%3a00 > > > > > > Unless both of those strings map to the same number, your > > identification experience will vary across clients. > > > > > > > > > > Your certificate in PEM format: > > > > -----BEGIN CERTIFICATE----- > > MIIDlDCCAv2gAwIBAgICALAwDQYJKoZIhvcNAQEFBQAwdjELMAkGA1UEBhMCVVMx > > FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEzARBgNVBAcUCkJ1cmxpbmd0b24xHjAc > > BgNVBAoUFU9wZW5saW5rIFNvZnR3YXJlIEluYzEaMBgGA1UEAxQRaWQubXlvcGVu > > bGluay5uZXQwHhcNMTExMTI4MjA1MDI4WhcNMTIxMTI3MjA1MDI4WjCBgzEtMCsG > > A1UEAxMkS2luZ3NsZXkgVXlpIElkZWhlbiAoTXlPcGVuTGluayBOZXcpMSswKQYD > > VQQKEyJPcGVuTGluayBTb2Z0d2FyZSAoTXlPcGVuTGluayBJZFApMSUwIwYJKoZI > > hvcNAQkBFhZraWRlaGVuQG9wZW5saW5rc3cuY29tMIIBIjANBgkqhkiG9w0BAQEF > > AAOCAQ8AMIIBCgKCAQEAmU0AZ90hAhmkSb6xhPIOpQ6ajKces9uLQl/1yPBW1PiK > > VZxhfk9LILVGNZEdRcYk1B+Ejmzfo62hpo9u3Iu9RbVBjsNsy7DAWtqNkdnCq16p > > P5gkuukObDMXmMLINCdgy0lMu9Mhg8E81Dy9wMInbGm85j9wkO3CCypN5E9WgAFu > > GeEgV76AAfOjMWHS/quH21o1Hn7aM+MHts1UonGg6kpHupOY1/ERGBIc7KcIYuhm > > cZj1/BmSQXHYdYsuHSd/c8d6DFjWKO/a3pdBhXVT6qTFTILEXwiy7xurj3RSrt57 > > jjgsqcJFd2XBRRXJIVLFi93arnHPxpEcoeZjmDNF0wIDAQABo4GeMIGbMB0GA1Ud > > DgQWBBQQpXFH3GrJwhziRGoN6dvlFLF0fTBLBgNVHREERDBChkBodHRwOi8vaWQu > > bXlvcGVubGluay5uZXQvZGF0YXNwYWNlL3BlcnNvbi9LaW5nc2xleVV5aUlkZWhl > > biN0aGlzMC0GCWCGSAGG+EIBDQQgFh5WaXJ0dW9zbyBHZW5lcmF0ZWQgQ2VydGlm > > aWNhdGUwDQYJKoZIhvcNAQEFBQADgYEAuL9WUixSviSQA6AeIoTguFbam7XA/med > > eoPnQ13o0erjkAjui+5UBLIMzih4r6Ma/wMrO3HsmU3Zw9/jPyJd+sWXaeYdQOPt > > 7S+rDHLoYJrafoWA1UORCp/HuOpB2JIdX4pxAO4tNKPQr29I2GdCu3RoTgVrkdNP > > HrF0JktHuj0= > > -----END CERTIFICATE----- > > > > > > > > Your certificate in text format: > > > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 176 (0xb0) > > Signature Algorithm: sha1WithRSAEncryption > > Issuer: C=US, ST=Massachusetts, L=Burlington, O=Openlink Software Inc, > CN=id.myopenlink.net > > Validity > > Not Before: Nov 28 20:50:28 2011 GMT > > Not After : Nov 27 20:50:28 2012 GMT > > Subject: CN=Kingsley Uyi Idehen (MyOpenLink New), O=OpenLink Software > (MyOpenLink IdP)/emailAddress=kidehen@openlinksw.com<mailto:IdP%29 > /emailAddress=kidehen@openlinksw.com> > > Subject Public Key Info: > > Public Key Algorithm: rsaEncryption > > RSA Public Key: (2048 bit) > > Modulus (2048 bit): > > 00:99:4d:00:67:dd:21:02:19:a4:49:be:b1:84:f2: > > 0e:a5:0e:9a:8c:a7:1e:b3:db:8b:42:5f:f5:c8:f0: > > 56:d4:f8:8a:55:9c:61:7e:4f:4b:20:b5:46:35:91: > > 1d:45:c6:24:d4:1f:84:8e:6c:df:a3:ad:a1:a6:8f: > > 6e:dc:8b:bd:45:b5:41:8e:c3:6c:cb:b0:c0:5a:da: > > 8d:91:d9:c2:ab:5e:a9:3f:98:24:ba:e9:0e:6c:33: > > 17:98:c2:c8:34:27:60:cb:49:4c:bb:d3:21:83:c1: > > 3c:d4:3c:bd:c0:c2:27:6c:69:bc:e6:3f:70:90:ed: > > c2:0b:2a:4d:e4:4f:56:80:01:6e:19:e1:20:57:be: > > 80:01:f3:a3:31:61:d2:fe:ab:87:db:5a:35:1e:7e: > > da:33:e3:07:b6:cd:54:a2:71:a0:ea:4a:47:ba:93: > > 98:d7:f1:11:18:12:1c:ec:a7:08:62:e8:66:71:98: > > f5:fc:19:92:41:71:d8:75:8b:2e:1d:27:7f:73:c7: > > 7a:0c:58:d6:28:ef:da:de:97:41:85:75:53:ea:a4: > > c5:4c:82:c4:5f:08:b2:ef:1b:ab:8f:74:52:ae:de: > > 7b:8e:38:2c:a9:c2:45:77:65:c1:45:15:c9:21:52: > > c5:8b:dd:da:ae:71:cf:c6:91:1c:a1:e6:63:98:33: > > 45:d3 > > Exponent: 65537 (0x10001) > > X509v3 extensions: > > X509v3 Subject Key Identifier: > > 10:A5:71:47:DC:6A:C9:C2:1C:E2:44:6A:0D:E9:DB:E5:14:B1:74:7D > > X509v3 Subject Alternative Name: > > URI:http://id.myopenlink.net/dataspace/person/KingsleyUyiIdehen#this > > Netscape Comment: > > Virtuoso Generated Certificate > > Signature Algorithm: sha1WithRSAEncryption > > b8:bf:56:52:2c:52:be:24:90:03:a0:1e:22:84:e0:b8:56:da: > > 9b:b5:c0:fe:67:9d:7a:83:e7:43:5d:e8:d1:ea:e3:90:08:ee: > > 8b:ee:54:04:b2:0c:ce:28:78:af:a3:1a:ff:03:2b:3b:71:ec: > > 99:4d:d9:c3:df:e3:3f:22:5d:fa:c5:97:69:e6:1d:40:e3:ed: > > ed:2f:ab:0c:72:e8:60:9a:da:7e:85:80:d5:43:91:0a:9f:c7: > > b8:ea:41:d8:92:1d:5f:8a:71:00:ee:2d:34:a3:d0:af:6f:48: > > d8:67:42:bb:74:68:4e:05:6b:91:d3:4f:1e:b1:74:26:4b:47: > > ba:3d > > > > > > -- > > > > Regards, > > > > Kingsley Idehen > > Founder & CEO > > OpenLink Software > > Company Web: http://www.openlinksw.com > > Personal Weblog: http://www.openlinksw.com/blog/~kidehen > > Twitter/Identi.ca handle: @kidehen > > Google+ Profile: https://plus.google.com/112399767740508618350/about > > LinkedIn Profile: http://www.linkedin.com/in/kidehen > > > > > > > > > > > > >
Received on Tuesday, 29 November 2011 02:05:48 UTC