Quoting Russ Allbery (2013-05-16 20:40:24) > Jonas Smedegaard <d...@jones.dk> writes: > > Quoting Russ Allbery (2013-05-16 18:37:06) > > >> but it's not clear to me why we'd bother as opposed to just issuing > >> client X.509 certificates with the metadata already included. > > > Because the very separation of identifiers from the identified makes > > the identifiers usable to reliably semantically express Web of Data. > > > http://linkeddata.org/ > > Could you explain this in more concrete terms? I'm at a loss to > understand what this means, and the web site wasn't horribly helpful.
Please see my other post where I try draw a parallel to government passports used for PGP keysigning. > A certificate constitutes a public key, signatures on that public key, > some metadata about the certificate itself (such as acceptable usage > for that certificate), and metadata about the entity identified by > that certificate. > > The URI pointed to by a WebID certificate contains the public key of > the certificate and metadata about the entity identified by the > certificate. > > They're both functionally the same thing, except the certificate > carries more information (such as usage information for the > certificate) and has a better-understood security model. I know how > to validate that the metadata is correctly bound to the certificate; > to do the same operation with WebID, I have to think harder about the > security model in place. > > I can understand why you may want to externalize the metadata if you > have no control over the certificate creation process and therefore > can't put metadata directly in it. I don't understand what you gain > (other than complexity) by externalizing the metadata if you *do* > control the certificate generation process. A certificate can hold > whatever structured data you want, including URIs, structured XML, > JSON objects, etc., and that data is authenticated and > integrity-protected via well-understood existing security protocols > without having to invent something new. > > What am I missing? I think you are missing the potential for third-parties to make use of identifiers without needing authentication. Without WebID, Debian stores internally the knowledge that "we have a user js" corresponding to a means for me to authenticate that "I am the js @ Debian". With WebID, Debian publishes that "we have a user js" both corresponding to a means for me to authenticate that "I am the js @ Debian" and others to refer to "the js @ Debian". - Jonas -- * Jonas Smedegaard - idealist & Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20130516195229.29499.19...@bastian.jones.dk