[foaf-protocols] FOAF+SSL trust -- was delegation
Bruno Harbulot
Bruno.Harbulot at manchester.ac.uk
Wed Apr 29 16:02:48 CEST 2009
Kingsley Idehen wrote:
> Bruno Harbulot wrote:
> But if you also apply the fact that the cert. carrying the URI could
> have been issued by a CA, wouldn't that make it stronger? Certainly no
> less than today's standard X.509 and SSL combo (without URIs in Alt.
> Subj. Name), right ?
Yes, absolutely, that would be fine. In this case, you wouldn't use
FOAF+SSL for authentication but do the authentication the PKI way
(dereferencing then becomes optional, since you'd likely trust the CA
more than the URI you don't know in advance). Then, you could fetch
further data using FOAF (equivalent of attribute retrieval) and perform
authorisation on that basis (of course, you'd have to trust the
information you get about that ID by crawling the semantic web, so you
may end up with similar trust problems, but that's a slightly separate
issue).
I'm not sure if there are any commercial CAs that are willing to emit
certificates with such a URI in the subjectAltName, but that's a
possibility. It's definitely possible if it's an institutional CA over
which you have control.
You might lose a bit of flexibility with this, in terms of global ID,
since not everyone would recognise the CA (widely commercial or
institutional). I suppose you could have multiple certificates by a
number of CAs in this case (perhaps with the same key material).
I think the advantage of mimicking the CA via signed FOAF files (or
sub-graphs thereof) would make the PKI process a bit more flexible,
although the administrative and legal process (which is the heavy part
of the PKI) would remain.
Best wishes,
Bruno.
More information about the foaf-protocols
mailing list