From 16a09356423788e49d0e27968ea119c02b886a49 Mon Sep 17 00:00:00 2001 From: scor Date: Mon, 20 Sep 2010 20:31:57 -0400 Subject: [PATCH] Cover the case of multiple SAN URIs in the terminology and authentication sequence sections --- index-respec.html | 44 ++++++++++++++++++++++++++------------------ 1 file changed, 26 insertions(+), 18 deletions(-) diff --git a/index-respec.html b/index-respec.html index 7983382..4d9bf23 100644 --- a/index-respec.html +++ b/index-respec.html @@ -414,19 +414,18 @@

Terminology

Identification Agent is typically also a User Agent.
Identification Certificate
-
An X.509 [[!X509V3]] Certificate that MUST contain exactly one -Subject Alternative Name extension with a URI entry. The URI -identifies the Identification Agent. The URI SHOULD be +
An X.509 [[!X509V3]] Certificate that MUST contain a +Subject Alternative Name extension with at least one URI entry +identifying the Identification Agent. This URI SHOULD be dereference-able and result in a document containing RDF data. For example, -the certificate would contain http://example.org/webid#public, -known as a WebID URI, as the Subject Alternative Name: +a certificate identifying the WebID URI http://example.org/webid#public +would contain the following: 
 X509v3 extensions:
    ...
    X509v3 Subject Alternative Name:
       URI:http://example.org/webid#public
-

TODO: cover the case where there are more than one URI entry

WebID URI
@@ -685,13 +684,17 @@

Authentication Sequence

Identification Certificate of the Identification Agent as a part of the TLS client-certificate retrieval protocol. -
  • The Verification Agent MUST extract the public key and the -WebID URI contained in the Subject Alternative Name -extension of the Identification Certificate.
    • - -
  • The public key information associated with the -WebID URI MUST be checked by the Verification Agent. -This process SHOULD occur either by dereferencing the WebID URI and +
  • The Verification Agent MUST extract the public key +and all the URI entries contained in the Subject Alternative Name +extension of the Identification Certificate. +An Identification Certificate MAY contain multiple URI entries +which are considered claimed WebID URIs.
    • + +
  • The Verification Agent MUST attempt to verify the +public key information associated with at least one of the claimed +WebID URIs. The Verification Agent MAY attempt to +verify more than one claimed WebID URI. +This verification process SHOULD occur either by dereferencing the WebID URI and extracting RDF data from the resulting document, or by utilizing a cached version of the RDF data contained in the document or other data source that is up-to-date and trusted by the Verification Agent. The processing @@ -702,12 +705,17 @@

    Authentication Sequence

  • If the public key in the Identification Certificate is found in the list of -public keys associated with the WebID URI, the +public keys associated with the claimed WebID URI, the Verification Agent MUST assume that the client intends to use -this public key to verify their ownership of the WebID URI.
    • - -
  • -The Verification Agent verifies that the +this public key to verify their ownership of the +WebID URI. +On the other hand, if no matching public key is found in the list +of public keys associated with the claimed WebID URI, +the Verification Agent MUST attempt to verify another claimed +WebID URI. The authentication MUST fail if no matching +public key is found among all the claimed WebID URIs.
    • + +
  • The Verification Agent verifies that the Identification Agent owns the private key corresponding to the public key sent in the Identification Certificate. This SHOULD be fulfilled by performing TLS mutual-authentication between the Verification Agent and the