[foaf-protocols] getting the certificate to work on first useage
nathan at webr3.org
Sat May 22 23:11:16 CEST 2010
Story Henry wrote:
> Ok. I think I found the bug!
> It's just stupid - as bugs usually are. SIGH! Anyway, I think there is something for us all here to learn from.
> Very simply put: foafssl.org's clock being out of sync is what caused
> the problem. It is 2 minutes out of sync, and this is what is causing
> the problem, as the verification checks the validity from, and after
> on the certificate. A newly created certificate on webid.myxwiki.org
> will be seen as not being valid yet.
Nice bug! glad you got it fixed :)
> This is not something that one usually comes across with certificates I suppose,
> as those are
> 1. used on the same server that produced them usually
> 2. often passed around by e-mail so any such time problems
> will often get lost in the time it takes to set things up
> This is clearly a very good reason for improving the debugging on the
> causes of any problem - this is what I had been working on in March
> (before my philosophy holiday). It just took me some time to get back into
> the groove.
> So I will be improving the debug statements.
> What should we do? Should we be lenient for certificates not valid before date?
> By an hour? Two hours?
I feel it's very much a context related thing, being lenient or ignoring
dates altogether on a self signed certificate feels fine to me, but
ignoring the dates on a trusted CA issued cert which somebody has bought
is an entirely different matter. And moreover can we decide what each
application should be comfortable with?
Further thinking leads me to what if an org has given staff a work
foaf+ssl with a strict date/time range on it, even a temporary cert from
1300-1800 on a single day for a consultant?
Perhaps the most prudent thing to do would be to simply notify the user
of the issue, so that they can go back to where they got the certificate
and inform them of the time issue.
> Thanks all for your help here. And sorry to have taken so long to
> notice this. I know Melvin had pointed out this problem a while back on the foafssl
> On 19 May 2010, at 15:13, Story Henry wrote:
>> The following issue may be what is holding us up a bit.
>> 0. (re)start firefox (I tried this out on 3.6)
>> 1. Go to http://webid.myxwiki.org/
>> 2. Create a new account, or add a new certificate to your account
>> 3. go to http://nanoblog.me/
>> then I get http://nanoblog.me/index.php?error=noVerifiedWebID
>> I tried https://foaf.me/simpleLogin.php
>> but it worked this time, though it did not a previous time.
>> If I restart the web browser it works, but not it seems necessarily the first
>> time. Perhaps the second time.... ?
>> This seems to be a problem we are always bumping into. We need to squash it.
>> Does anyone else have the same problem?
>> Let me try a few other browsers...
>> Social Web Architect
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
More information about the foaf-protocols