On 8/7/13 4:36 PM, Norman Gray wrote:
By the way: 'non-exotic' here, means an action that the n-t-f already has some mental model of, and which they have already managed to do, for some other entirely pragmatic reason. Interestingly, I suspect that the process of generating the WebID certificate in the browser fails this test,_even though_ the certificate has to end up in the browser (other than on OS X), because there's no clear mental model of what's happening in this step, and that matters.
True!This is why we no longer use that default. The preference is to produce a pkcs#12 file instead. Once produced, you can dispatch this file to any modern operating system and the processes of storing crypto data to keystore becomes a native OS interaction.
In this age of PRISM, NSA, and TEMPORA, the notion of saving identity oriented claims to a secure pkcs#12 file, that lives on your own computing device, is an endeavor that folks are willing to invest five or less minutes learning.
Here's the process, as we currently see it:1. obtain profile data -- from an existing FOAF document or 3rd party social media/network oriented service
2. generate keypairs (outside the browser)3. generate certificate using the profile data and public key from the steps above -- sign the certificate using the private key (you are the passport holder and issuer/signer in this scenario) 4. publish certificate claims (in Linked Data form) to a public document (typically a FOAF vocab based profile document) that's accessible via the WebID placed in the certificate's SAN
5. save private key and certificate to a pkcs#12 file6. dispatch (via email, mounted drive, usb etc..) the pkcs#12 file to your computing devices
7. enjoy the wonderment of Webby-PKI based trust Webs! -- Regards, Kingsley Idehen Founder & CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca handle: @kidehen Google+ Profile: https://plus.google.com/112399767740508618350/about LinkedIn Profile: http://www.linkedin.com/in/kidehen
smime.p7s
Description: S/MIME Cryptographic Signature
