On 8 Jun 2010, at 22:18, Eddy Nigg (StartCom Ltd.) wrote: > > On 06/08/2010 08:47 PM, From Story Henry: >> You DON't need to export the certificate! You just create a new one: it's a >> one click procedure! > > Doesn't that defeat the purpose and protection of using digital certificates > in first place?
No. That's the trick of foaf+ssl: we do not rely on Certificate Authorities to vouch for the client. The certificates can be either self signed, or signed by some unknown CA. The trick used is the same as the one used by OpenID. ( In fact OpenID inspired much of what is behind Web ID. ) The SSL connection lets the server know that the client has the private key of the public key sent in the X.509 certificate. Because the X.509 certificate also contains the Web ID (in the subject alternative name position), the server can do an HTTPS get on the WebID and if the public key matches there, Identity is proven. So we do change the server SSL/TLS proof method. I have put this past a lot of security experts in the past year, and we have implementations in most major languages. If you can see a problem it may be worth going over to the foaf-protocols mailing list http://lists.foaf-project.org/mailman/listinfo/foaf-protocols Henry > > Regards > Signer: Eddy Nigg, COO/CTO > StartCom Ltd. <http://www.startcom.org> > XMPP: [email protected] <xmpp:[email protected]> > Blog: Join the Revolution! <http://blog.startcom.org> > Twitter: Follow Me <http://twitter.com/eddy_nigg> > > > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
