[foaf-protocols] CGI::Auth::FOAF_SSL mumblings
home_pw at msn.com
Tue Dec 8 18:32:42 CET 2009
Good. This is the way it should be.
WE have finally broken out of the mental model of https. Not only is it
broken as a layer and proxying protocol, its trust and naming model have
outgrown their usefulness.
From: foaf-protocols-bounces at lists.foaf-project.org
[mailto:foaf-protocols-bounces at lists.foaf-project.org] On Behalf Of Toby
Sent: Tuesday, December 08, 2009 9:08 AM
To: foaf-protocols at lists.foaf-project.org
Subject: [foaf-protocols] CGI::Auth::FOAF_SSL mumblings
I've spent a few minutes this afternoon doing a little work on my Perl
Interesting features coming up:
* Now uses RDF::Trine instead of RDF::Redland. This is mostly
an internal change that only "advanced" users are likely to
* If the certificate's subjectAltName field contains more than
one URI, the previous behaviour was to only check the first
and ignore all others. Now, it keeps going until it finds a
URI which matches the certificate's modulus and exponent.
What do other implementations (e.g. libAuthentication) do
when presented with a certificate with multiple URIs?
* If the certificate has no URIs, or none of the URIs it has
match its modulus and exponent, then e-mail addresses in the
subjectAltName field are checked using Fingerpoint to find
data about the owners of the addresses.
This last point goes beyond our normal technique of validating
certificates. I'd be interested to hear what people think about it. This
provides the ability to use FOAF+SSL with certificates that have e-mail
addresses but not URIs - this may be a useful fallback as OpenSSL is
preconfigured to create certificates like this, so it's likely that
there are a lot of existing certificates like this -- perhaps many from
well-known certification authorities.
Toby A Inkster
<mailto:mail at tobyinkster.co.uk>
foaf-protocols mailing list
foaf-protocols at lists.foaf-project.org
More information about the foaf-protocols