ISSUE-1: Multiple URI entries in the SAN extension

Multiple URI entries in the SAN extension

State:
CLOSED
Product:
Raised by:
Stéphane Corlosquet
Opened on:
2011-01-27
Description:
from https://github.com/webid-community/webid-spec/issues#issue/2

The WebID spec does not currently cover the case where there are more than one SAN URI entry in the same certificate. There was a thread [2] on this topic started by Bruno a while back but it only discussed the other types of entries (like email) without reaching any consensus on the multiple URI entries.

from http://lists.foaf-project.org/pipermail/foaf-protocols/2010-July/002711.html
[[[
Since there can be multiple entries (and some of us have created certs with more than one SAN entry), are they all expected to be dereference-able and contain the same public key? Should we impose a limit of one entry in the SAN extension?
]]]

and from http://lists.foaf-project.org/pipermail/foaf-protocols/2010-July/002775.html
[[[
> Should there be multiple entries of type URI in the S.A.N. extension?

Possibly. We need to think of what this implies in terms of semantics too.

I would suggest to allow multiple URI entries: "The Identification Certificate MAY contain multiple URI entries in the Subject Alternative Name extension. The Verification Agent MUST attempt
to verify at least one of these entries. It MAY verify more than one
entry. The Verification Agent MUST NOT consider an entry for which the
verification failed as authenticated, even if other entries have been
verified successfully."

Do we then want to treat multiple successfully verified entries as owl:sameAs, or should we leave that to the RDF?
]]]

Here is a use case for having multiple URI entries. In a typical WebID authentication workflow, if your WebID provider is down for some reason, then you cannot authenticate with your WebID (leaving aside the particular cases of caching and trusted data sources). If your certificate contained another WebID URI, the Verification Agent could then dereference this other WebID URI to attempt authentication (provided the same public key was published at the second WebID Profile Document as well). The problem though is to know what your WebID URI is once you've authenticated via an alternate WebID URI. Should the Verification Agent trust that you are WebID URI #1 when the authentication sequence via WebID URI #1 didn't work and only WebID URI #2 worked? Clearly no, unless you can prove that you also own WebID URI #1 by having logged in via this URI in the past (in which case the Verification Agent would merge the two identities). Is this a good use case to justify the use of multiple WebID URIs in the same certificate? It would be equivalent to having to separate certificates, but the great advantage is that from user point of view you just have to choose one identity, however many WebID URIs you have associated with this identity (and you're pretty much sure at least one of your providers/servers will be up).

This raises a related issue. If we expect WebID to take off and to be easy to publish your own WebID, there ought to be ways to work around the fact that servers go down, that's one reason why there are so few OpenID providers and they are all big players providing decent QoS. In the case of WebID, even if you choose the best software implementation you can find on the market, you're still dependent on your hosting provider. WebID provisioning should work on cheap hosting to be truly decentralized avoid the same centralization OpenID has.

Do we have other scenario where it is useful to have multiple URIs? There might be cases where a URI entry of the SAN extension is not meant to be a WebID (think other protocols sticking a URI in a certificate like we do). This might be fine and play nicely with the above scenario as long as the Verification Agent tries the authentication sequence with each URI entry until it finds a matching public key in whatever document each URI dereferences to.

Steph.

[2] http://lists.foaf-project.org/pipermail/foaf-protocols/2010-July/002775.html
Related Actions Items:
No related actions
Related emails:
  1. RE: Limit public keys and SAN entries? (was Re: Updated IdP to new spec.) (from home_pw@msn.com on 2011-11-28)
  2. Limit public keys and SAN entries? (was Re: Updated IdP to new spec.) (from scorlosquet@gmail.com on 2011-11-28)
  3. closed 9 issues (from henry.story@bblfish.net on 2011-11-25)
  4. ISSUE-55: WebID schema agnosticims (from henry.story@bblfish.net on 2011-04-19)
  5. RE: Turning every Web Server into a CA (from home_pw@msn.com on 2011-02-04)
  6. Re: Turning every Web Server into a CA (from henry.story@bblfish.net on 2011-02-04)
  7. Re: WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] (from henry.story@bblfish.net on 2011-02-01)
  8. WebID-ISSUE-19: x509v3 Independence and TLS Extensions [WebID Spec] (from sysbot+tracker@w3.org on 2011-02-01)
  9. RE: WebID-ISSUE-16: Easy cross-browser certificate transfer (from home_pw@msn.com on 2011-01-31)
  10. WebID-ISSUE-1: Multiple URI entries in the SAN extension (from scorlosquet@gmail.com on 2011-01-31)
  11. WebID-ISSUE-1: Multiple URI entries in the SAN extension (from scorlosquet@gmail.com on 2011-01-31)
  12. WebID-ISSUE-1: Multiple URI entries in the SAN extension (from scorlosquet@gmail.com on 2011-01-31)
  13. WebID-ISSUE-1: Multiple URI entries in the SAN extension (from scorlosquet@gmail.com on 2011-01-31)
  14. WebID-ISSUE-1: Multiple URI entries in the SAN extension (from scorlosquet@gmail.com on 2011-01-31)
  15. WebID-ISSUE-1: Multiple URI entries in the SAN extension (from scorlosquet@gmail.com on 2011-01-31)
  16. WebID-ISSUE-1: Multiple URI entries in the SAN extension (from scorlosquet@gmail.com on 2011-01-31)
  17. WebID-ISSUE-1: Multiple URI entries in the SAN extension (from scorlosquet@gmail.com on 2011-01-27)
  18. A few comments on the issue database -- was: Issuer Alternative Names (from henry.story@bblfish.net on 2011-01-27)
  19. WebID-ISSUE-1: Multiple URI entries in the SAN extension (from scorlosquet@gmail.com on 2011-01-27)
  20. WebID-ISSUE-1: Multiple URI entries in the SAN extension (from sysbot+tracker@w3.org on 2011-01-27)

Related notes:

the latest spec

"WebID Certificate may contain multiple URI entries which are considered claimed WebIDs at this point, since they have not been verified. The Verification Agent may verify as many or as few WebIDs it has time for. It may do it in parallel and asynchronously. However that is done, a claimed WebIDs can only be considered verified if the following steps have been accomplished successfully:"

Henry Story, 25 Nov 2011, 13:19:37

Display change log ATOM feed


Henry Story <Henry.Story@bblfish.net>, Chair, Dominique Hazaël-Massieux <dom@w3.org>, Staff Contact
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: index.php,v 1.326 2018/10/13 17:29:51 vivien Exp $