[foaf-protocols] FOAF+SSL and root certificates

Story Henry henry.story at bblfish.net
Sat Feb 13 19:55:14 CET 2010


On 12 Feb 2010, at 14:50, Stephen Dawkins wrote:

> Hi All
> 
> I've been following FOAF+SSL for a while now, and I have a question.
> 
> Was there any consensus on the creation of a root certificate/CA for
> FOAF+SSL certificates?

It was considered as a way of resolving the issue between two incompatible SSL specs TLS1.0 and TLS1.1, the later one no longer requiring this.
 
http://lists.foaf-project.org/pipermail/foaf-protocols/2009-February/000264.html

As we could not find any information about which browsers worked in what way, we have not pursued this. It could well be that TLS1.0 was not correctly describing browser behaviour.

> I ask because the current state of allowing any installed certificate to
> be sent could be confusing to users. As it is, my myopenid.com certificate
> shows up when using a FOAF+SSL site. This certificate clearly won't work,
> so it shouldn't be shown.

Do they send a Certificate Request List to your browser? If they did, then the browser should be offering you to choose only between certificates they accept.

> Creating a root certificate would make things much clearer, and allow
> browsers to provide a better interface when dealing with these
> certificates (ala Microsoft's CardSpace GUI), and also provide better
> security by offering to password protect the certificate when storing it.

Are you sure it would?

This is worth testing very carefully beforehand on all browsers, so that we could get an idea of how much something like this could improve things. I have noticed some browsers giving me options to send certificates that had clearly expired. [I think this was Firefox - if so we should report this as a bug]

But also I think foaf+ssl is generic enough and simple enough that anyone should be able to apply it easily, even Verisign. As such any certificate should in the end be sendable. And we don't want to limit the possibility of Certificate Authorities not adding their URL to their issuer alternative name too.

The solution one is looking for is one where the server could say something like: send me any certificate that has a URL in the subject alternative name.

> I would create a root certificate (valid for a very long time as it isn't
> really being used for security) and a website to sign any CSRs (I wouldn't
> go as far as to publish the private key, that just doesn't seem right to
> me).

That would be fine. But I don't think we should have that as part of the standard then, because that would force everyone to pass through your service to create certificates.

> 
> Does anyone have any thoughts on this?
> 
> Regards
> Stephen
> 
> (ps. please CC me in on responses, as I'm not subscribed)
> 
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols



More information about the foaf-protocols mailing list