Jonas Smedegaard <d...@jones.dk> writes: > Quoting Russ Allbery (2013-05-16 18:37:06)
>> but it's not clear to me why we'd bother as opposed to just issuing >> client X.509 certificates with the metadata already included. > Because the very separation of identifiers from the identified makes the > identifiers usable to reliably semantically express Web of Data. > http://linkeddata.org/ Could you explain this in more concrete terms? I'm at a loss to understand what this means, and the web site wasn't horribly helpful. A certificate constitutes a public key, signatures on that public key, some metadata about the certificate itself (such as acceptable usage for that certificate), and metadata about the entity identified by that certificate. The URI pointed to by a WebID certificate contains the public key of the certificate and metadata about the entity identified by the certificate. They're both functionally the same thing, except the certificate carries more information (such as usage information for the certificate) and has a better-understood security model. I know how to validate that the metadata is correctly bound to the certificate; to do the same operation with WebID, I have to think harder about the security model in place. I can understand why you may want to externalize the metadata if you have no control over the certificate creation process and therefore can't put metadata directly in it. I don't understand what you gain (other than complexity) by externalizing the metadata if you *do* control the certificate generation process. A certificate can hold whatever structured data you want, including URIs, structured XML, JSON objects, etc., and that data is authenticated and integrity-protected via well-understood existing security protocols without having to invent something new. What am I missing? I suppose one thing that I could be missing is that, with a certificate, you have no privacy controls over what metadata you release. Whatever you put in the certificate is visible to anyone who looks at the certificate. (Well, you could encrypt it and then distribute a separate key, but that's getting into pointless complexity.) Whereas in theory your WebID endpoint could release different metadata depending on who asks. But since WebID doesn't authenticate the entity asking for metadata, I'm not sure that's really what's going on. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87d2sqydif....@windlord.stanford.edu