- From: Mo McRoberts <mo.mcroberts@bbc.co.uk>
- Date: Sun, 8 Jan 2012 23:55:24 +0000
- To: Kingsley Idehen <kidehen@openlinksw.com>
- Cc: public-xg-webid@w3.org
On 8 Jan 2012, at 23:39, Kingsley Idehen wrote:
>> If I'm understanding correctly, you're saying (for example), that sIA might contain a URL,
>
> Yep!
>
> This reference (an Address) resolves to a profile resource bearing claims mirror.
>> while the sAN contains the URI of the certificate holder which appears within the document published at the sIA URL?
>
> Yep!
>
> Then you completely solve burden problem for publishers re. Linked Data publishing nuances that ultimately introduce control problems, as already demonstrated by Peter's experiments.
You introduce a new problem, however.
WebID revolves around the fact that the URI you provide in the subjectAltName is (in some fashion or another) dereferenceable and can be processed by verifiers because asserting the key there allows you to demonstrate that you control it — you’re effectively demonstrating “ownership” — and so applications can then use that URI to identify you. This isn't especially different from the “we have e-mailled you a verification link” automated processes which, having been followed, allow you to be identified by an e-mail address, nor terribly different to Google’s Webmaster Tools site verification or Apps CNAME.
How does this work when you’re instructed to look somewhere else entirely via a sIA?
If my sAN says I am <http://billg.microsoft.com/#me> and my sIA says to look at <http://data.nevali.net/billg>, you’re still none the wiser as to whether I really have any authority over the resource at <http://billg.microsoft.com/> or not — instead, I’m effectively '<http://data.nevali.net/billg> { <http://billg.microsoft.com/> }', which is quite different.
M.
--
Mo McRoberts - Technical Lead - The Space,
0141 422 6036 (Internal: 01-26036) - PGP key CEBCF03E,
Project Office: Room 7083, BBC Television Centre, London W12 7RJ
Received on Sunday, 8 January 2012 23:58:18 UTC