Re: Getting Serious about WebID Bootstrap from Kingsley Idehen on 2012-10-01 (public-xg-webid@w3.org from October 2012)

From: Kingsley Idehen <kidehen@openlinksw.com>
Date: Mon, 01 Oct 2012 10:48:12 -0400
To: public-xg-webid@w3.org
Message-ID: <5069AD2C.30908@openlinksw.com>

On 10/1/12 7:57 AM, David Chadwick wrote:
> Kingsley
>
> the problem I have is that the signer's self signed certificate is not 
> available to me.

Good point! This where the value of Issuer Alternative Name would come 
into play. Basically, the Cert issuer's WebID goes in there and it then 
enables you de-ref the signers public key. We are adding that to all our 
generators.

> Your S/MIME cert did not include the issuer's cert in the certificate 
> chain, so where do I get it from? Without this root cert I am not able 
> to validate your cert. When sending signed email, isnt it possible to 
> include the full cert path?

In the meantime, our signer's cert is available from: 
https://www.dropbox.com/s/uig83k71kym398f/OpenLink%20Local%20CA%20Cert.crt .
>
> Or is that your email client is sending it, but Thunderbird is hiding 
> it from me?

No, right now you need to be able to de-reference its form a URL.

Kingsley
>
> regards
>
> David
>
>
> On 30/09/2012 18:11, Kingsley Idehen wrote:
>> On 9/30/12 7:05 AM, Melvin Carvalho wrote:
>>>>> >>
>>>> >Why? what do I gain from doing this - consider me a naive outsider
>>>> >
>>>> >
>>> Essentially this links your email to your WebID / Social Graph in a,
>>> standards compliant, machine readable way.
>>>
>>> I've imported my cert into thunderbird and imported the root node as 
>>> a CA
>>> but I get
>>>
>>> "Sending of message failed.
>>> Unable to sign message. Please check that the certificates specified in
>>> Mail & Newsgroups Account Settings for this mail account are valid and
>>> trusted"
>>>
>>> http://kb.mozillazine.org/Message_security
>>>
>>> Verify whether all parent nodes of the certificate are in your list of
>>> trusted CAs, and whether they can be used to identify mail users
>>>
>>> Looks I've done this but it still throws an error.  I've had bugs in
>>> thunderbird before wrt security.  Not sure on this one ...
>>>
>>
>> You have to ensure the the following:
>>
>> 1. signer certificate is imported via "Authorities" tab
>> 2. personal certificates (signed using the signer cert.) are imported
>> into "Your Certificates" tab
>> 3. email address in the certificate matches the email address of the
>> Thunderbird account being configured.
>>
>> You can also read:
>>
>> 1. http://bit.ly/NrzHNY -- using Thunderbird to send digitally signed
>> email .
>>
>
>


-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen

Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature

Received on Monday, 1 October 2012 14:48:32 UTC