[xwiki-devs] cert creation component

Story Henry henry.story at bblfish.net
Fri Feb 12 10:44:52 CET 2010


On 12 Feb 2010, at 05:10, Niels Mayer wrote:

> I needed some more background on this, as it turned out I was about to ask a
> stupid question about who signs the certs, but  that is basically answered
> here:
> 
> http://blogs.sun.com/bblfish/entry/foaf_ssl_pki_and_the (foaf+ssl, pki and
> the duck-rabbit)
> 
>> Whereas PKI is used for hierarchical trust, we use it to build a web of
>> trust. Where X509 certs built up a lot on the Distinguished Name hierarchy,
>> we nearly ignore it. Where X509 tried to place information in the
>> certificate, we place it outside at the name location. Even though SSL can
>> request client certificates in the browser, nobody does this, yet we build
>> on this little known feature. Self signed client certificates, which would
>> not have made sense in traditional PKI infrastructure, because they proove
>> nearly nothing about the client, is what we build everything on....
> 
> 
> Ok, this is beginning to make sense. PGP via the web browser, using browser
> mechanisms to install SSL client certificates. Looking for more background,
> I found these:
> 
> http://blogs.sun.com/bblfish/entry/foaf_ssl_adding_security_to
> foaf+ssl: adding security to open distributed social networks
> 
> http://blogs.sun.com/bblfish/entry/more_on_authorization_in_foaf
> foaf+ssl: creating a web of trust without key signing parties
> 
> http://blogs.sun.com/bblfish/entry/building_secure_and_distributed_social
> Building Secure, Open and Distributed Social Network Applications
> 
> ...
> 
> I think it would be very useful to integrate FOAFiness with Xwiki's access
> control: e.g. allow FOAFs passed document links in your wiki to
> conditionally register/login and view/comment the given link/document.
> Nonregistered users would be given access based on space-rights (if space
> not publicly viewable, then access denied). By conditionally register/login,
> I mean that you could place access control rules on how far you might want
> to allow any private document to "spread" in a foaf network. E.g. some
> documents would only be  accessible by first-level friends, etc.

Exactly. One could give access rights on parts of the wiki with rules such as

<http://xwiki.org/OSSGTP/> can only be edited by members of the <http://www.ossgtp.org/members/#ossgtp> group and their friends.

So at <http://www.ossgtp.org/> there would be a foaf:Document describing the current members, which could be updated periodically. Xwiki.org would get that document every so often (or it could be pinged on changes).

One can imagine a lot of different scenarios....


> Is something like the above part of the "use case" for Foaf+SSL in Xwiki??

Those are use cases for foaf+ssl, and I think XWiki is an Operating System, with aim to replace emacs, so yes you can do whatever you want ;-)

Henry

> 
> Niels
> http://nielsmayer.com
> _______________________________________________
> devs mailing list
> devs at xwiki.org
> http://lists.xwiki.org/mailman/listinfo/devs



More information about the devs mailing list