Hi again. Russ Allbery <r...@debian.org> writes:
> I can understand why you may want to externalize the metadata if you have > no control over the certificate creation process and therefore can't put > metadata directly in it. I don't understand what you gain (other than > complexity) by externalizing the metadata if you *do* control the > certificate generation process. A certificate can hold whatever > structured data you want, including URIs, structured XML, JSON objects, > etc., and that data is authenticated and integrity-protected via > well-understood existing security protocols without having to invent > something new. > I'm not sure, but I seem to recall that it was quite hard to make sure the SSL certs could store extended attributes, and that the "hack" of using "Subject Alternative Name" to place a URI there (pointing to the FOAF) was the one fortunnate discovery that rendered this usable in practice. Maybe what's true for X590 certs generation in the CA context where you can basically (hope) to put as much meta-data in there is different from the time when a HTTPS server requires a client cert generation to the requesting browser, where only a minimal set of meta-data is accepted by the browser crypto engines in the generation query ? > What am I missing? > > I suppose one thing that I could be missing is that, with a certificate, > you have no privacy controls over what metadata you release. Whatever you > put in the certificate is visible to anyone who looks at the certificate. > (Well, you could encrypt it and then distribute a separate key, but that's > getting into pointless complexity.) Whereas in theory your WebID endpoint > could release different metadata depending on who asks. Indeed. My FreedomBox may refuse to share my profile with colleagues whereas it may allow fellow debianers to get access, for instance (reusing the example of my 3 identities in a previous post). > But since WebID > doesn't authenticate the entity asking for metadata, I'm not sure that's > really what's going on. > It may, but this may not be covered by the standard, only by details of implementation setup. I think there are interesting chicken and egg / loops problems that can be imagined. WebID is not stabilized yet, in any case, and I may have overlooked problems. Maybe any further discussion not really related to debian per se deserves a followup to the W3C working group for WebID ? ;) My 2 cents again. Best regards, -- Olivier BERGER http://www-public.telecom-sudparis.eu/~berger_o/ - OpenPGP-Id: 2048R/5819D7E8 Ingenieur Recherche - Dept INF Institut Mines-Telecom, Telecom SudParis, Evry (France) -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87a9nu9dfv....@inf-8657.int-evry.fr
