[foaf-protocols] Logging out early w/ OCSP

Henry Story henry.story at bblfish.net
Mon Sep 20 17:50:15 CEST 2010


On 20 Sep 2010, at 17:04, Joe Presbrey wrote:

> Do your WebID IdP's implement OCSP?
> 
> http://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol

There is no need to implement this with WebID. 

OCSP is just a low bandwidth way of replacing Certificate Revokation
Lists which CAs use to list certificates that are no longer valid.

We get exactly the same effect by removing the public key from the profile.
We could even be more explicit and state that a certificate was no longer 
valid, though this would require some small ontological thinking.

> 
> On a public terminal, It seems I can ask for a 30-minute session
> (literally with X509 enddate/notAfter) but I can't end it early
> without OCSP.

yes. The trick is just to send a message to your server to remove
the public key. It is RESTful and falls in very neatly with what we
have. WebID comes inbuilt with OCSP and CRLs! Perhaps we have not
emphasised this feature enough...

> 
> I would think my IdP's should send OCSP denials for requests for my
> temporarily-issued cert after I click my IdP's Logout button.
> 
> Apache implements OCSP:
> http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslocspenable
> 
> --
> Joe Presbrey



More information about the foaf-protocols mailing list