[foaf-protocols] Multiple URIs in SAN extension

Henry Story henry.story at gmail.com
Tue Aug 10 10:04:01 CEST 2010


On 10 Aug 2010, at 09:11, Reto Bachmann-Gmür wrote:

> My latest draft, which I think you pulled mandates exactly one URI.
> 
> I don't know about reasons or avantages of having multiple uris.

One can have multiple URIs in a SAN that is a fact of X.509. We don't know what the advantages may be of having multiple. So unless we can prove that it is illogical, we should not mandate having only one.

Furthermore I think there is a case to be made for having multiple URIs in a SAN for failover. 

The way to deal with it is furthermore very simple.

For every URI wid1, wid2, wid3, ... for which the WebID proof works it is true that

   pkey cert:identity wid, wid2, wid3 ...


since cert:identity is (well it should be) an owl:functionalProperty, it follows that

    wid = wid2 = wid3 = ...

This is useful for the RelyingAgent to know, as if at a later date one of those
fails to be dereferenceable it can use the others. 

Note that though this does give the user failover protection, it also increases
the number of ways he can be attacked.

But it is not that easy to create one X509 cert with many WebIDs in it, if it is not somehow coordinated by the same service, so there is reason to think that when it is used, it is used conscientiously.

	Henry

> 
> Cheers,
> reto
> 
> ----- Original message -----
>> On 08/09/2010 08:48 PM, Stéphane Corlosquet wrote:
>>> I'm on Bruno's side and I think we should not lock down the SAN to
>>> exactly one URI. If there is time and interest tomorrow during the
>>> call, I'd like to raise this issue.
>> 
>> Stéphane,
>> 
>> Can you log it as a bug against the spec?
>> 
>> http://github.com/msporny/webid-spec/issues
>> 
>> -- manu
>> 
>> -- 
>> Manu Sporny (skype: msporny, twitter: manusporny)
>> President/CEO - Digital Bazaar, Inc.
>> blog: WebID - Universal Login for the Web
>> http://blog.digitalbazaar.com/2010/08/07/webid/2/
>> _______________________________________________
>> foaf-protocols mailing list
>> foaf-protocols at lists.foaf-project.org
>> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols
> 
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols



More information about the foaf-protocols mailing list