--- a/spec/index-respec.html Thu Dec 01 18:07:09 2011 +0100
+++ b/spec/index-respec.html Tue Dec 06 16:27:15 2011 +0100
@@ -423,7 +423,7 @@
</dd>
<dt><tdef>Key Chain</tdef> agent</dt>
-<dd>A Key Chain agent can return certificates to authorized <tref>Clients</tref> and can sign cryptographic tokens with the corresponding key.</dd>
+<dd>A Key Chain agent can return certificates to authorized <tref>Clients</tref> and can sign cryptographic tokens with the corresponding key. This protocol does not specify where that agent is: it could be that the <tref>Client</tref> contains his own Key Chain or it could be that the Key Chain is a seperate process on the Operating System.</dd>
<dt><tdef>Server</tdef></dt>
<dd>A Server is a machine contactable at a domain name or ip address that hosts a number of globally accessible Services.</dd>
@@ -784,7 +784,7 @@
</section>
<section class='normative'>
<h1>Disabling a WebID Certificate</h1>
-<p>A <tref>WebID Certificate</tref> identifies the <tref>Subject</tref> alone and no one else, if and only if she is the only one to control the corresponding privte key.
+<p>A <tref>WebID Certificate</tref> identifies the <tref>Subject</tref> alone and no one else, if and only if she is the only one to control the corresponding private key.
It is very important therfore that the <tref>Subject</tref> take care of keeping the <tref>private key</tref> secure.
This can be done by keeping it in the <tref>Key Chain</tref> of a personal machine in an account that is password protected and free of viruses, or best of all on some physical device where the private key is inacessible to be read by any software.
In the second case having the device implies that the <tref>private key</tref> has not been lost or copied.
--- a/tests/earl/RelyingParty.n3 Thu Dec 01 18:07:09 2011 +0100
+++ b/tests/earl/RelyingParty.n3 Tue Dec 06 16:27:15 2011 +0100
@@ -45,15 +45,21 @@
# pure certificate tests
#
wit:certificateProvided a earl:TestCase;
+ rdfs:label "X509 received?"@en;
dct:title "Did the client provide a X509 certificate?"@en;
dct:description "Without a client certificate this type of WebID Authentication can not take place."@en;
skos:note "If the client provided an certificate, the earl:pointer property must point to it. The certificate is described with the class cert:Certificate using the property cert:base64der. The property cert:principal_key must point to the contained public key. The public key is described with a rsa:publicKey which contains the properties rsa:modulus and rsa:public_exponent. The log:semantics property must point to a blank node that contains a log:includes property for every WebIDClaim."@en.
wit:certificateProvidedSAN a earl:TestCase;
+ rdfs:label "X509 contains SAN?"@en;
dct:title "Does the client certificate contain a subject alternative name?"@en;
dct:description "The client certificate must contain at least one Subject Alternative Name in the SAN field of the certificate"@en;
skos:note "The earl:subject property must point to the certificate. The earl:pointer must contain the complete subject alternative name string. The certificate is described with the class cert:Certificate using the property cert:base64der. The property cert:principal_key should point to the contained public key."@en.
+wit:sanOK a earl:TestCase;
+ dct:title "Is the Subject Alternative Name URL one that the testing software can work with"@en;
+ dct:description "The URL may be malformed, or it may be one the testing software does not know how to dereference"@en.
+
wit:certificateDateOk a earl:TestCase;
dct:title "Is the certificate alive?"@en;
dct:description "The time of this session should be between the begin and end date of the certificate validity times"@en;