[foaf-protocols] Standardising the foaf+ssl protocol to launch the Social Web

[Nathan]

Henry Story wrote:
> On 16 Jul 2010, at 13:47, Toby Inkster wrote:
>> Let's consider:
>>
>> 	subjectAltName = "URI:mailto:mail at tobyinkster.co.uk"
>> 	subjectAltName = "URI:acct:me at tobyinkster.co.uk"
>>
>> I consider these flat-out wrong. Every URI that begins "mailto:"
>> identifies a mailbox, not a foaf:Agent. Similarly, every URI that begins
>> with "acct:" identifies an account, not a foaf:Agent. The URI given in
>> the subjectAltName must be a direct identifier for the agent.
>>
>> On the other hand:
>>
>> 	subjectAltName = "email:mail at tobyinkster.co.uk"
>>
>> is a different matter. That's fine as far as I'm concerned.
>>
>> For an explanation, what you should do is consider the subjectAltName to
>> be an RDF graph. Each item in the subjectAltName represents a triple.
>> For each triple, the subject is implicit - it's the holder of the
>> certificate; the predicate is determined by the part of the item before
>> the first colon; the object by the part after the first colon. So, for
>> example, the following subjectAltName:
>>
>> 	subjectAltName = email:mail at tobyinkster.co.uk,
>> 		email:tai at g5n.co.uk,
>> 		URI:http://tobyinkster.co.uk/#i
> 
> what is this email: ? Is that a new protocol scheme? Or is that part
> of the X509 spec?

subjectAltName can include multiple values of the types:
   email
   URI
   DNS
   RID
   IP
   dirName
   otherName

see: 
http://www.openssl.org/docs/apps/x509v3_config.html#Subject_Alternative_Name_

I personally include my WebID and my email within my x509 certificate, 
it's that other bit of critical identifying information which let's 
people communicate with me.

IMHO it's a very important bit of info to include and is worth giving 
some thought and dare I say even mentioning in the protocol.

Certainly though we need people to be aware they may come across several 
values in a single subjectAltName (some libs don't cater for this).

Best,

Nathan