Re: Matter of DN and what's possible from Kingsley Idehen on 2012-01-09 (public-xg-webid@w3.org from January 2012)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Sun, 08 Jan 2012 20:31:18 -0500
To: public-xg-webid@w3.org
Message-ID: <4F0A4366.7070506@openlinksw.com>

On 1/8/12 6:55 PM, Mo McRoberts wrote:
> On 8 Jan 2012, at 23:39, Kingsley Idehen wrote:
>
>>> If I'm understanding correctly, you're saying (for example), that sIA might contain a URL,
>> Yep!
>>
>> This reference (an Address) resolves to a profile resource bearing claims mirror.
>>> while the sAN contains the URI of the certificate holder which appears within the document published at the sIA URL?
>> Yep!
>>
>> Then you completely solve burden problem for publishers re. Linked Data publishing nuances that ultimately introduce control problems, as already demonstrated by Peter's experiments.
> You introduce a new problem, however.
>
> WebID revolves around the fact that the URI you provide in the subjectAltName is (in some fashion or another) dereferenceable and can be processed by verifiers because asserting the key there allows you to demonstrate that you control it — you’re effectively demonstrating “ownership” — and so applications can then use that URI to identify you.

No, there isn't a new problem, far from it. We are simply saying the 
route to proof doesn't have to go through a single URI.
Proof lies in the directed graph that mirrors the claims in the cert.

> This isn't especially different from the “we have e-mailled you a verification link” automated processes which, having been followed, allow you to be identified by an e-mail address, nor terribly different to Google’s Webmaster Tools site verification or Apps CNAME.

Yes and No. We'll even get to that proof once we cross this initial 
bridge re. Name, Addresses, and Descriptor (of Information) Resources.

>
> How does this work when you’re instructed to look somewhere else entirely via a sIA?

You are indicating that there is a document, somewhere on a network that 
describes the certificate subject. It's easier and much more intuitive. 
It's this part of matters that confuses people re. Linked Data since you 
have > 1 level of indirection via a single HTTP URI.

>
> If my sAN says I am<http://billg.microsoft.com/#me>  and my sIA says to look at<http://data.nevali.net/billg>, you’re still none the wiser as to whether I really have any authority over the resource at<http://billg.microsoft.com/>  or not — instead, I’m effectively '<http://data.nevali.net/billg>  {<http://billg.microsoft.com/>  }', which is quite different.

The mirrored claim is the key to proof.
>
> M.
>


-- 

Regards,

Kingsley Idehen	
Founder&  CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Monday, 9 January 2012 01:31:35 UTC