Re: cert:fingerprint ? from Kingsley Idehen on 2011-10-25 (public-xg-webid@w3.org from October 2011)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Tue, 25 Oct 2011 17:32:11 -0400
To: public-xg-webid@w3.org
Message-ID: <4EA72ADB.2030408@openlinksw.com>
On 10/25/11 4:33 PM, Henry Story wrote:
> [cc ed Evan Prodromou, since this is an interesting idea relating tweets and WebID]
>
>
> On 25 Oct 2011, at 22:11, Kingsley Idehen wrote:
>
>> On 10/25/11 4:07 PM, Kingsley Idehen wrote:
>>> On 10/25/11 3:02 PM, Henry Story wrote:
>>>> Ok, it is certainly possible to have a link from a cert:X509Certificate to a fingerprint. But what is the use you wish to make of this? Ie. the use case.
>>>>
>>> I want to be able to use Blog Posts, Tweets as resources that hold the relation between a WebID and its host Certificate. Thus, instead of being confined to modulus and exponent based checks, I can just use the Certs. fingerprint.
>>>
>>> BTW -- I already have this working i.e., I can use a Tweet or Blog Post to persist the fingerprint. The as part of our particular WebID verification protocol implementation, use this approach to verify identity. Thus, we are lowering the barrier of entry by allowing people to publish their certificates (with WebID watermarks) via Blog Posts, Tweets etc..
>>>
>>> I hope the usecase is clear? It's really important for us to find a low cost pattern that highly viral re. WebID.
>>>
>> Henry,
>>
>> So it goes like this:
>>
>> #me hasCertificate [ a cert:X509Certificate; hasFingerprint "F3:46:11:63:D9:5A:22:10:5F:4A:AD:65:33:50:DE:27" ; hasFingerprintDigest<md5>  ]
> Ok so this is a whole program.  Here are a few concerns/questions:
>
> 1. What are the security risks of this? - I don't expect you to answer it, rather some security people in the know might be able to tell us what the reliability of such fingerprints are, how easy is it to create a clash.

Hmm. how well do you know us? Our fundamental value proposition is 
actually based on data access security :-)
We've be using graphs for security since 1992 re. data access. Remember, 
RDF isn't our introduction to graphs.

> As you can see Harry Halpin in another thread is making noises about unidentified security concerns. We need to be careful not to give such people ammunition. And in security paranoia is the norm it seems, as we can see with some of the veterans on this list.

Again, you seem to understand the makeup of OpenLink Software. Thus, I 
can only assume this is the basis for your assumptions above re. 
paranoia and veteran status.

> 2. How is that published? What is the mime type. As I see it, this is mainly useful in tweets. Anything with more space could clearly be able to hold the full public key, and so be immune to any issues that may arise now or in the future with fingerprint algorithms.

Tweets have <= 147 chars. That's the window, hence the fingerprint.

> 3. How is it viral? It is not because you can publish something on a large engine that it becomes viral.

Viral means: easy uptake via simple web linking patterns i.e., people 
pass it on because its easy to use and explain.

The fingerprint gets into the Twitter space via OAuth. That's how 
Twitter apps write data to Twitter.

> People still have to be able to use it for something that then makes them want to re-use it, and tell their friends about it. It has to be able to spread somehow.
>
Yes, so they can get a WebID via a Cert. Generator that writes a Tweet 
or post to a Weblog that supports AtomPub.

Once you have a WebID you can do the following:

1. send signed emails
2. share resources via ACLs.

Again, all because you encountered a security token generator that 
supports WebID watermarks, verification protocol, and the ability to 
post to Web 2.0 style data spaces.

> 4. How does a tweet tie into the linked data space? I can see that it could do that on Identi.ca, as it ties tweets to foaf. (so here the feedback from Evan Prodromou may be useful).

Twitter produces structured data that accessible via APIs. As per my 
example, turning Twitter data into Linked Data is something we and 
others have done since they release an API years ago.

> 5. What happens when tweets die? Ok someone get puts up a new tweet, I suppose.

Er.. its on the Web, it talks HTTP, we grok cache invalidation. We also 
have Virtuoso, it can also do reasoning etc..
> I mean clearly I can see this being of interest as a test case to twitter engines. But as soon as they grok this, they will be able to place the full public key in a better linked space.

Distracting subjective statement to which I will not really respond.
> Sorry for being critical. It's my nature. ;-)

You aren't being critical. I think you are sorta missing the point :-)

I am not seeking your approval. I am simply informing you about what we 
have and how it can tie into the goals of this effort.


Kingsley
> Henry
>
>> seeAlso:
>> http://search.twitter.com/search.json?q=%40Fingerprint:F3:46:11:63:D9:5A:22:10:5F:4A:AD:65:33:50:DE:27 -- structured data from Twitter space
>>
>> The rest is transformation, and even better if said transformation is based on WOT ontology.
>>
>> -- 
>>
>> Regards,
>>
>> Kingsley Idehen	
>> President&   CEO
>> OpenLink Software
>> Company Web: http://www.openlinksw.com
>> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
>> Twitter/Identi.ca handle: kidehen
>> Google+ Profile: https://plus.google.com/112399767740508618350/about
>> LinkedIn Profile: http://www.linkedin.com/in/kidehen
>>
>>
>>
>>
>>
>>
> Social Web Architect
> http://bblfish.net/
>
>
>


-- 

Regards,

Kingsley Idehen	
President&  CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen
Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Tuesday, 25 October 2011 21:32:46 UTC