Re: cert:fingerprint ?

[cc ed Evan Prodromou, since this is an interesting idea relating tweets and WebID]


On 25 Oct 2011, at 22:11, Kingsley Idehen wrote:

> On 10/25/11 4:07 PM, Kingsley Idehen wrote:
>> On 10/25/11 3:02 PM, Henry Story wrote:
>>> Ok, it is certainly possible to have a link from a cert:X509Certificate to a fingerprint. But what is the use you wish to make of this? Ie. the use case.
>>> 
>> I want to be able to use Blog Posts, Tweets as resources that hold the relation between a WebID and its host Certificate. Thus, instead of being confined to modulus and exponent based checks, I can just use the Certs. fingerprint.
>> 
>> BTW -- I already have this working i.e., I can use a Tweet or Blog Post to persist the fingerprint. The as part of our particular WebID verification protocol implementation, use this approach to verify identity. Thus, we are lowering the barrier of entry by allowing people to publish their certificates (with WebID watermarks) via Blog Posts, Tweets etc..
>> 
>> I hope the usecase is clear? It's really important for us to find a low cost pattern that highly viral re. WebID.
>> 
> 
> Henry,
> 
> So it goes like this:
> 
> #me hasCertificate [ a cert:X509Certificate; hasFingerprint "F3:46:11:63:D9:5A:22:10:5F:4A:AD:65:33:50:DE:27" ; hasFingerprintDigest <md5> ]

Ok so this is a whole program.  Here are a few concerns/questions:

1. What are the security risks of this? - I don't expect you to answer it, rather some security people in the know might be able to tell us what the reliability of such fingerprints are, how easy is it to create a clash. As you can see Harry Halpin in another thread is making noises about unidentified security concerns. We need to be careful not to give such people ammunition. And in security paranoia is the norm it seems, as we can see with some of the veterans on this list.

2. How is that published? What is the mime type. As I see it, this is mainly useful in tweets. Anything with more space could clearly be able to hold the full public key, and so be immune to any issues that may arise now or in the future with fingerprint algorithms.

3. How is it viral? It is not because you can publish something on a large engine that it becomes viral. People still have to be able to use it for something that then makes them want to re-use it, and tell their friends about it. It has to be able to spread somehow. 

4. How does a tweet tie into the linked data space? I can see that it could do that on Identi.ca, as it ties tweets to foaf. (so here the feedback from Evan Prodromou may be useful). 

5. What happens when tweets die? Ok someone get puts up a new tweet, I suppose.

I mean clearly I can see this being of interest as a test case to twitter engines. But as soon as they grok this, they will be able to place the full public key in a better linked space.

Sorry for being critical. It's my nature. ;-)

Henry

> 
> seeAlso:
> http://search.twitter.com/search.json?q=%40Fingerprint:F3:46:11:63:D9:5A:22:10:5F:4A:AD:65:33:50:DE:27 -- structured data from Twitter space
> 
> The rest is transformation, and even better if said transformation is based on WOT ontology.
> 
> -- 
> 
> Regards,
> 
> Kingsley Idehen	
> President&  CEO
> OpenLink Software
> Company Web: http://www.openlinksw.com
> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
> Twitter/Identi.ca handle: kidehen
> Google+ Profile: https://plus.google.com/112399767740508618350/about
> LinkedIn Profile: http://www.linkedin.com/in/kidehen
> 
> 
> 
> 
> 
> 

Social Web Architect
http://bblfish.net/

Received on Tuesday, 25 October 2011 20:33:49 UTC