Hi Henry, On Jun 8, 2010, at 4:30 PM, Story Henry wrote:
> > On 8 Jun 2010, at 22:18, Eddy Nigg (StartCom Ltd.) wrote: > >> >> On 06/08/2010 08:47 PM, From Story Henry: >>> You DON't need to export the certificate! You just create a new one: it's a >>> one click procedure! >> >> Doesn't that defeat the purpose and protection of using digital certificates >> in first place? > > No. > > That's the trick of foaf+ssl: we do not rely on Certificate Authorities to > vouch for the client. The certificates can be either self signed, or signed > by some unknown CA. > > The trick used is the same as the one used by OpenID. ( In fact OpenID > inspired much of what is behind Web ID. ) The SSL connection lets the server > know that the client has the private key of the public key sent in the X.509 > certificate. Because the X.509 certificate also contains the Web ID (in the > subject alternative name position), the server can do an HTTPS get on the > WebID and if the public key matches there, Identity is proven. > > So we do change the server SSL/TLS proof method. I have put this past a lot > of security experts in the past year, and we have implementations in most > major languages. If you can see a problem I see only the same problem I saw (and reported to you) 2 years ago - which is that for all the cryptography involved, it still seems possible for an individual to self-assert that they have a WebID and that it is linked to some certificate and private/public key. Which is to say, why bother with all the crypto if a user can self-assert his or her WebID and FOAF file anyway? OpenID relies on an OpenID provider "vouching" that a particular URI is "owned" by some user for whom the OpenID provider has an account. You could also run your own OpenID provider and self-assert that way. And the question is whether that is a particularly interesting thing to do in a Web context (as we self-assert all the time without any special protocols needed and it works fine for many things without new techniques, systems or other technology). Regards, - johnk > it may be worth going over to the foaf-protocols mailing list > > http://lists.foaf-project.org/mailman/listinfo/foaf-protocols > > Henry > > >> >> Regards >> Signer: Eddy Nigg, COO/CTO >> StartCom Ltd. <http://www.startcom.org> >> XMPP: [email protected] <xmpp:[email protected]> >> Blog: Join the Revolution! <http://blog.startcom.org> >> Twitter: Follow Me <http://twitter.com/eddy_nigg> >> >> >> _______________________________________________ >> specs mailing list >> [email protected] >> http://lists.openid.net/mailman/listinfo/openid-specs > > _______________________________________________ > specs mailing list > [email protected] > http://lists.openid.net/mailman/listinfo/openid-specs _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
