[foaf-protocols] Self-signing certificates
kidehen at openlinksw.com
Thu Dec 17 19:32:05 CET 2009
Peter Williams wrote:
> FOAF+SSL relies on the fact that the certificate and the FOAF file
> confirm each other.
> It cannot prove whether or not somebody is TimBL, but it can prove that
> they have write access to TimBL's FOAF file.
> [Peter Williams]
> [Peter Williams]
> Not really, as not all foaf cards are persisted as files (or even persisted
> e.g. sixpart, or semantictwitter). But, at this early stage, it's a good
> enough design metaphor (it "can", not that it "does"). Lots of communities
> go through this idealized world view, of how simple public key crypto is.
> Trust in PGP culture, a few trust files, key signing parties, and life is
> good for 6 billion people to use PKC.
> The key thing, which _is_ being achieved, is to get into the mindset of
> "being a relying party" (relying on client certs as signed-names in some or
> other name form, and relying on server-certs from transport channels as
> signed assertions about the name-form known as domain-names and its binding
> to a local socket/endpoint).
> All the foaf card is in foaf+ssl ... is a trust store of (unsigned) pubkeys
> - a resource keyed off the URL in the SAN (just like any other web
> resource). It's no different to the trust store in a replicated/distributed
> ActiveDirectory entry, keyed off the UPN name form in the SAN. The
> foaf+ssl's trust store stores mod/exp, whereas the distributed
> multi-mastered directory stores (self)signed certs (with mods/exps within).
> Not sure there is gounds for a patent here; as the webid is a mere
> embodiment of very old teaching.
> The process of validating a client cert from SSL is different in foaf+ssl
> (and we know the foaf+ssl behavior concerning SSL CA and cert selectors is
> the default operating mechanism of commodity, $20 a year, OS products, like
> IN the foaf_ssl case, there is stuff about using mods/exps and doing integer
> compares using some rdf logic. It is required to use the type system
> reasoning of rdf reasoned (even when comparing a signed and unsigned ints).
> In the UPN world, the SSL server simply computes the inbound client cert's
> fingerprint, finds the cert by fingerprint in the trust store cache
> deferenced by the UPN, confirms the fingerprint match, and then verifies
> that the self-signed cert does self-sign. In more advanced cases where the
> client cert is not self-signed, for a chaining cert there is process
> recursion, using the certs' "issuer backpointer" to locate and deference the
> linked assertion of a inbound cert arc, in the trust chain. Having found it,
> and having resolved its name form (which may now not be a URI, but may be a
> GUID tied to the activedirectory system), one does another round of
> validation... In dynamic systems, the backpointers may be an expression
> rather than a fixed value, which guides discovery of an earlier trust point,
> in the trust fabric available to server.
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
Well written and stated, can we please persist this in the form of a
White Paper somewhere? I like your description because it inherently
broadens FOAF+SSL's audience. It isn't W3C lingo, its standard Security
Lingo, and this is so vital as we try to re-connect W3C lingo with the
rest of the world so that they can truly appreciate W3C driven efforts
such as Linked Data.
As you can imagine, I see the world this way:
1. No Identity Model == Everything is broken because everything is
inherently vulnerable to hacks that veer down the social dimension pathway
2. No References to Data Objects that transcend platforms, applications,
etc.. == Everything is Silo'd the only variable is the countdown to
By addressing 1&2, the Semantic Web Project has very simple references
to real problems, solved by tangible outputs from its endeavor.
Basically, we end up with demonstrable and comprehensible solutions to
real problems without any mention of markup, RDF, or the illusion that
anything Semantic Web Project related belongs to the theoretical domains
We have something very very special here.
Kingsley Idehen Weblog: http://www.openlinksw.com/blog/~kidehen
President & CEO
OpenLink Software Web: http://www.openlinksw.com
More information about the foaf-protocols