[FoRK] DNT: another example of "you can't make this shit up"
Stephen D. Williams
sdw at lig.net
Tue Oct 16 00:04:47 PDT 2012
What is "persistence of identity"? Isn't that just a "session"? Identity isn't just a name, it is a unique identity that may have
some degree of identification and disambiguous characteristics. A session should have its own identity. If you want to associate
some access with the session, then the identity of the user may be how you choose what to show but the session is what is being
matched between transactions.
On 10/15/12 8:43 PM, Gregory Alan Bolcer wrote:
> Also, we can agree that a user identity, aka Stephen Williams is not the same as persistence of identity, aka the person who used
> his stored karma/goodwill/ad$/whatever to access X is the same person who is coming back to access Y on the same or
> crypto-family-related server within the time period/expiry date of his access.
> On 10/15/2012 8:15 PM, Stephen Williams wrote:
>> You're using it wrong. PKI certificates are supposed to be like
>> driver's licenses, birth certificates, etc. and change about as often.
>> You only need one (or one per persona), more or less, and the rest of
>> your identity is anchored from that. If you want strong security, you
>> need a PKI smart card or equivalent, protected by PIN, proofed at a
>> known location by a well-trained officer by presenting sufficient proof
>> of identity, with good surveillance. You don't want to have to do that
>> very often.
>> There should be only identity, expiration, and approval for an authority
>> in a certificate. There should never be application-specific
>> authorization or anything ephemeral in the certificate. That's what
>> signed data is for, signed either by the user, a digital notary, or an
>> authority or any combination of those.
>> You can have a certificate for a domain or subdomain, or a wildcarded
>> domain. Or an email address.
>> There shouldn't be multiple certificates with the same identity.
>> Browsers do check expiration date in at least some cases because I've
>> seen the error messages. If they don't check in all cases, it is an
>> error. They should also check for revoked certificates, via OCSP
>> ideally, but that hasn't been widely used. However, it does seem to be
>> widely supported:
More information about the FoRK