On 9-Mar-06, at 7:26 PM, Robert Yates wrote:
[EMAIL PROTECTED] wrote:
The thread on DoS in dmd0 got me thinking about the meaning of the
verification step in dmd0. As stated in that thread, the
verification step might be a concern, since a membersite may be
blocking on a response from an unknown homesite. I started to
think about eliminating the verification (and the signature that
goes with it). What requirement is the verification step meeting?
At the most basic level, a DIX protocol is simply providing a
convenient way to transfer a set of self-asserted attributes from
the user to the membersite - by way of the homesite. In this
model the homesite is simply storing the attributes on the user
behalf and, consistantly with Identity Law #1, revealing them only
with the user's consent. It does not do any checking that they
correctly represent the user in any way.
At this level the only thing the signature means is "I sent this
exact set of attributes because the user asked me to." This just
doesn't seem very useful to the membersite. The entire set of
attributes could be replaced by a MITM that runs its own homesite,
or that has an account at the specified homesite.
Can we agree that for this level of requirement, the signature
and verification are not required?
The Homesite is authoritative that the user is the persona-url. If
the persona-url is in the message, then the Membersite needs to
verify that the Homesite did make the claim that the user is that
persona-url.
I agree with you that that Membersite does not need to verify the
message if only self asserted claims are coming from the user.
Am not sure that I agree with this. There are instances where it
is important whom the homesite is i.e. who is making the assertion
about the attributes. I also don't believe that the attributes are
always self-asserted and have been assuming that a user probably
has many sites that assert attributes about the user and act as
homesites, e.g. my bank, my state, etc.
A classic example is the driving license analogy. The membersite
wants to know how old the user is. They are not going to accept an
assertion about the users age from any homesite. It has to be from
some "homesite" that they trust, in my case, as I live in mass,
probably "http://www.mass.gov";. For these cases they need the
verification step.
I would call this an Authoritative Site. In these cases I think using
PKI is appropriate.
I agree that there are many instances where the verification step
is not required, but I think it is important step for many more
attributes than just the persona-url.
As I mention above, the verification is required if the persona-url
is in the message.
-- Dick
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
