[foaf-protocols] FOAF+SSL trust -- was delegation

Bruno Harbulot Bruno.Harbulot at manchester.ac.uk
Wed Apr 29 16:02:48 CEST 2009



Kingsley Idehen wrote:
> Bruno Harbulot wrote:

> But if you also apply the fact that the cert. carrying the URI could 
> have been issued by a CA, wouldn't that make it stronger? Certainly no 
> less than today's standard X.509 and SSL combo (without URIs in Alt. 
> Subj. Name), right ?

Yes, absolutely, that would be fine. In this case, you wouldn't use 
FOAF+SSL for authentication but do the authentication the PKI way 
(dereferencing then becomes optional, since you'd likely trust the CA 
more than the URI you don't know in advance). Then, you could fetch 
further data using FOAF (equivalent of attribute retrieval) and perform 
authorisation on that basis (of course, you'd have to trust the 
information you get about that ID by crawling the semantic web, so you 
may end up with similar trust problems, but that's a slightly separate 
issue).

I'm not sure if there are any commercial CAs that are willing to emit 
certificates with such a URI in the subjectAltName, but that's a 
possibility. It's definitely possible if it's an institutional CA over 
which you have control.
You might lose a bit of flexibility with this, in terms of global ID, 
since not everyone would recognise the CA (widely commercial or 
institutional). I suppose you could have multiple certificates by a 
number of CAs in this case (perhaps with the same key material).

I think the advantage of mimicking the CA via signed FOAF files (or 
sub-graphs thereof) would make the PKI process a bit more flexible, 
although the administrative and legal process (which is the heavy part 
of the PKI) would remain.


Best wishes,

Bruno.


More information about the foaf-protocols mailing list