[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[Freedombox-discuss] FOAF developers taking FreedomBox into their equation

On Thu, Mar 10, 2011 at 02:55:08AM +0100, bertagaz at ptitcanardnoir.org wrote:
>On Thu, Mar 10, 2011 at 12:11:01AM +0100, Melvin Carvalho wrote:
>> On 10 March 2011 00:02, Jonas Smedegaard <dr at jones.dk> wrote:
>> > On Wed, Mar 09, 2011 at 10:29:06PM +0000, Clint Adams wrote:
>> Traditionally we've always 'self signed' our WebID certificates.  So 
>> there's no CA that needs to be in the loop.  In fact, I dont know of 
>> any instance WebID has *ever* been used with a CA, but I suppose it 
>> is possible too. :)
>Then how does the authentification part works? Is there a web of trust, 
>or a way to be sure a X.509 cert belongs to a certain ID?

WebID is technically called FOAF+SSL.

It is a FOAF resource which includes claims of its own URL and a public 
key that is governing it. And it is a client certificate containing a 
URL referencing that FOAF.

So when presenting the client certificate, it can be verified by 
checking that the URL it references does indeed contain that same public 
key as the client certificate.

Instead of trying to shoot down above, please read up on it first.  I am 
not an engineer of WebID nor an expert in the security parts of it.

More info: http://www.w3.org/wiki/foaf+ssl

  - Jonas

  * Jonas Smedegaard - idealist & Internet-arkitekt
  * Tlf.: +45 40843136  Website: http://dr.jones.dk/

  [x] quote me freely  [ ] ask before reusing  [ ] keep private
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110310/f623d200/attachment.pgp>

Reply to: