On Apr 4, 2007, at 7:43 PM, Douglas Otis wrote: > Related services that can be enabled by using OpenID as a key > distribution scheme. Keys would need to relate to services handled > by the consumer or RP. A sub-attribute could help facilitate > correct placement of the keys and to allow different keys for > different purposes. > >> Secondly X509 certificates are very, very broken in terms of >> delegation semantics and certification semantics (at least in many >> people's eyes, mine included.) >> >> So.. SPKI? >> >> (yes, I've been over this territory.... and that's pretty much >> what I'm doing here.) > > How these keys are handled internally could be left to the consumer > or RP. Either the OpenID server or the Consumer or RP could > fashion their own certs based upon this information where it is > administered and integrated with other services. The individual > end-user would only need to submit their set of public keys for > this to become possible.
Hm. Well, I don't to suggest that we tear off fixing or expressing the whole semantics of PKI, but I do think that some care should be taken to make sure that it's clear what the security status of a returned key is. Problems like Confused Deputy can easily arise when you start dealing with registry systems which aren't under really tight control. I don't have a neatly packaged solution for this, but we're dealing with situations which can have very significant legal repercussions: digital signatures are legal for some kinds of transactions in some jurisdictions, and however this is handled is has to have some approach to the questions of "what is they key good for, and who says it's OK for this purpose?" Vinay -- Vinay Gupta - Designer, Hexayurt Project - an excellent public domain refugee shelter system Gizmo Project VOIP: 775-743-1851 (usually works!) Cell: Iceland (+354) 869-4605 http://howtolivewiki.com/hexayurt - old http://appropedia.org/ Hexayurt_Project - new Skype/Gizmo/Gtalk: hexayurt I have a proof which unfortunately this signature is too short _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs