W3C home > Mailing lists > Public > public-xg-webid@w3.org > January 2012

getting from id to authnz to entitlemetns, by profile importing.

From: Peter Williams <home_pw@msn.com>
Date: Mon, 9 Jan 2012 18:22:48 -0800
Message-ID: <SNT143-W217C8CCA1E98545248D63592990@phx.gbl>
To: <melvincarvalho@gmail.com>, "public-xg-webid@w3.org" <public-xg-webid@w3.org>

I know you essentially moved on from foaf.me, but there is a case worth addressing.Im trying to get my head around the wider implications of the particual handoff between the webid IDP and SP.




I want to understand two things.


First, Im already in a "Hightened relationship model" for profile management, since the linked data cloud is now working for me, and hosting me endpoints. FGor example, it can be delivering my browser an SSL client, which points to a json service endpoint that dowhloads the server roots on the fly to that javascript function (from my own page, rendered as rdf/json). Obviously, I now have an SSL client - with my own cert store of server roots.Said cert store is called.... my page.



thats cute, but lets go simpler. In the handoff (see URI above) from IDp to SP, it of course is a simple signature. How does one validate it? well presumably, your RP code is duly  getting its own profile and ensuring that the signing key is in your (RP's metadata) - tagged with authorizations qualifying it as a IDP grade signer, distinguished from a non IDP. (Such tags are essentially the same as the basicConstraints = CA assertion, in a cert.)


If you would fix the code so it can handle my handoff, shown. id like to do a couple of things.


1. have it show my profile, post recognition of the IDP, being "imported" into that foaf maker tool. How will it make such a profile? Could it be limiting the keying/securityi capaiblities of the "derived profile"? (limited to things assotied with the IDP's governance regime)?


2. I want to make a new cert, leyed locall, within said profile. Said keys are ":in some sense" tied int a chain to the keys listed in my original profile, from whichi the improt took place. Perhaps, as a CA, there is a cert chain made...such that this "derived profile" now associated with a 2-level cert chain not 1. In this waty, I can choose to use a key (asserting 1 level of chain) and another key (assertion 2 levels of chain). In the 2 case, now I can be :"qualifying" the authorizations I epxect ot assert . The first cert is the id cert, and the second the authz cert (a PAC, using the X.509 AA cert type).


If we do that, Chadwicks Permis come full on board, giving a rich entitlement model.


Received on Tuesday, 10 January 2012 02:25:48 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:54 UTC