Hi all.
What concerns me these days is about secure data exchange
over OpenID for serious services and about this theme, I
came upon an specification, secure key discovery 1.0
For my understanding, this spec is about implementing
security framework on OpenID world and is still very draft.
Now
Interesting idea.
Is there a way to do this via an RP- OP SSL handshake? Web
apps typically don't have access to SSL private keys, at least
in larger deployments.
I wonder how your idea reduces network traffic, though. Don't
you still have to retrieve the public key, which is likely
larger than
Thank you Hans.
About RP-OP SSL connection, major web languages like Java,
PHP, Rubt etc. has APIs or libraries about HTTP/HTTPS.
I believe in most case it is possible to configure web
applications to trust only seceral certificates explicitly
just modify certificate store those languages
Hallo
would it be possible to have the PGP key with a password as well as an entry
point for the OpenID defined?
So why a username and password, the PGP key with a password should be added.
What has to be done, to get this into the definitions?
Thanks Mike
On Jan 21, 2008, at 4:05 AM, Michael Schmidt wrote:
Hallo
would it be possible to have the PGP key with a password as well as
an entry point for the OpenID defined?
So why a username and password, the PGP key with a password should
be added.
What has to be done, to get this into the
FWIW, the XRI form of openID's provides just such a mechanism, where-
by the publisher of the XRD signs all (or a part of) the XRDS, tho i
know of few libraries today which support trusted resolution[1].
=peterd
[1] http://docs.oasis-open.org/xri/2.0/specs/cd02/xri-resolution-V2.0-
cd-02.pdf
Masaki, Peter has a good point -- the XRDS keyinfo discovery mechanism,
specified in section 10.2 (SAML Trusted Resolution) of XRI Resolution 2.0
Committee Draft 02
(http://docs.oasis-open.org/xri/2.0/specs/cd02/xri-resolution-V2.0-cd-02.pdf
), deals with DNS poisoning by using signed SAML