W3C home > Mailing lists > Public > public-xg-webid@w3.org > October 2012

S/Mime signing with WebID and certificate expiration

From: Sebastian Trueg <trueg@openlinksw.com>
Date: Mon, 01 Oct 2012 11:47:52 +0200
Message-ID: <506966C8.6010608@openlinksw.com>
To: public-webid@w3.org, public-xg-webid@w3.org
When I was introduced to WebID in my head it was mostly about 
authentication-related scenarios, situations in which one needs to 
authenticate to get access to something. Let's call them "immediate 
identity-proof" scenarios.
In these situations a compromised private key is no big deal: you simply 
remove the public key from your profile and you are safe.

However, when it comes to email-signing this is not practical anymore. 
If you would do that then suddenly all the emails you sent before the 
change of the key will show up as unverified in the recipients' inboxes.

I briefly discussed this problem with Henry who told me that it had been 
discussed before[1]. In the light of us all signing our emails with 
WebID-enabled certificates I would like to bring this up again, find a 
solution, and start implementing it.

The simplest way to go AFAICS would be to introduce a new property to 
add "expired" keys to a profile. This would retain compatibility with 
existing implementations which are mostly about authentication and do 
not need to be bothered with this extension.

To get the ball rolling let me throw some Turtle at you:

<#me> cert:expiredKey [
     a cert:RSAPublicKey, cert:ExpiredKey;
     rdfs:label "Key from back when" ;
     cert:modulus "...." ;
     cert:exponent 65537 ;
     cert:expired "2012-06-12T12:42"^^xsd:datetime ] .

(IMHO it would be much cleaner to use the good old cert:key property and 
just make the key another type but that might break implementations.)

Using this extension email clients could still verify old emails even 
though the key has been compromised in the meantime.


[1] http://lists.w3.org/Archives/Public/public-webid/2012Jan/0031.html

Sebastian Trueg
Technical Consultant
OpenLink Software

Received on Monday, 1 October 2012 09:48:20 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:39:56 UTC