[foaf-protocols] Signing browser certificates with WebId

Henry Story henry.story at bblfish.net
Tue Sep 7 17:45:14 CEST 2010


On 7 Sep 2010, at 16:08, Reto Bachmann-Gmür wrote:

> If we want to enable Web-of-trust features based on WebId it is import that an identity is associated to a small and relatively stable set of keys.

You need to phrase that differently. As it stands that is wrong, since one can build a web of trust with very unstable keys. The web is formed by linking the URLs in a linked data pattern using vocabularies such as foaf.

See: 
http://esw.w3.org/Foaf%2Bssl/FAQ#How_does_this_improve_over_X.509_or_GPG_Certificates.3F

> However, as creation of key is cheap it is likely that user create keys quite often, for different devices as well as short-term keys for temporary machines. In such a scenario a web-of-trust referencing to individual keys is hard to build and the possibilities to establish trust using mechanism such as  provided by Perspectives [1] are limited.

So this is more an issue of re-inforcing trust.

> If the WebId would be associated to a long term certificate with which the individual browser certificates are signed. This would allow the creation of many short-term certificates for different clients while associating the WebId to a stable public-key. 

The idea sounds intriguing. But one would need a lot more detail to work out if this works. 

Some questions:

 - what threat is this an answer to?
 - how does the long term public key answer that threat?
 - what changes to the protocol need to be made for this to work?

Adding a relation for a long term public key is clearly not the problem. 

> I think the mechanism is relatively easy, the Identification agents would have to go up the chain of X509 certificate, at least as long as the cert claim the same WebId till the verification of one succeed. Not sure how much more complicated creation of certificate would get.

Where would the private key of the long term public key be stored? Who would sign these certificates? 

> 
> Cheers,
> reto
> 
> 
> 
> 
> 
> 1. http://www.cs.cmu.edu/~perspectives/firefox.html (thanks Melvin for pointing me to it)
> _______________________________________________
> foaf-protocols mailing list
> foaf-protocols at lists.foaf-project.org
> http://lists.foaf-project.org/mailman/listinfo/foaf-protocols

Social Web Architect
http://bblfish.net/



More information about the foaf-protocols mailing list