[OpenID] OpenID as a PKI facilitator

Ben Laurie benl at google.com
Sat Apr 7 17:12:43 UTC 2007 

On 4/7/07, Recordon, David <drecordon at verisign.com> wrote:
> Dick said:
> > dick.pip.verisignlabs.com and david.pip.verisignlabs.com would
> > be able to be in the zone and hence use the signing key for
> > pip.verisignlabs.com.
>
> As I read that, both dick.pip.verisignlabs.com and
> david.pip.verisignlabs.com would be in the same zone and thus be using
> the same key.

What? There's no need for them to be using the same key if they're in
the same zone. The key that is the same is the one that signs their
records, i.e. the zone key.

> That is not what I was envisioning, I was seeing
> dick.pip.verisignlabs.com and david.pip.verisignlabs.com having to be in
> separate zones in order to have separate keys.
>
> DTP is a draft back-channel protocol (basically S/MIME over HTTP) which
> proposes key discovery via Yadis.
> http://openid.net/specs/openid-service-key-discovery-1_0-01.html
>
> --David
>
> -----Original Message-----
> From: Ben Laurie [mailto:benl at google.com]
> Sent: Saturday, April 07, 2007 10:01 AM
> To: Recordon, David
> Cc: Dick Hardt; OpenID General
> Subject: Re: [OpenID] OpenID as a PKI facilitator
>
> On 4/7/07, Recordon, David <drecordon at verisign.com> wrote:
> >
> >
> >
> > Ah, now I see our disconnect.  I thought "dick" and "david" had
> > different keys as per the DTP discussion.
>
> Obviously they have different keys. You've lost me. What is DTP?
>
> >
> >  --David
> >
> >
> >   -----Original Message-----
> >  From:   Dick Hardt [mailto:dick at sxip.com]
> >  Sent:   Saturday, April 07, 2007 07:30 AM Pacific Standard Time
> >  To:     Ben Laurie
> >  Cc:     OpenID General
> >  Subject:        Re: [OpenID] OpenID as a PKI facilitator
> >
> >
> >  On 7-Apr-07, at 3:53 AM, Ben Laurie wrote:
> >
> >  > On 4/7/07, Dick Hardt <dick at sxip.com> wrote:
> >  >> Hmmm ... that is not how I understood it worked from talking to
> > >> Ben Laurie.
> >  >>
> >  >> Ben: would seem pretty heavy if zone file was needed to store a
> > >> key in a  >> record. Is this true?
> >  >
> >  > No. But nor is that what David said: he said a separate zone was  >
>
> > needed for each signing key. Which is true.
> >  >
> >  > What I can't figure out from what has been written in this thread
> > what  > exactly you are trying to do, or why it would involve multiple
>
> > signing  > keys - from what I'm reading, you want to publish a key per
>
> > user,  > signed by some authority, which you can do in a single zone.
> > But I'm  > guessing wildly.
> >
> >  Your guess is what  we were talking about. How do you publish a key
> > for the user, where each user is represented by a different DNS
> record.
> >
> >  dick.pip.verisignlabs.com and david.pip.verisignlabs.com would be
> > able to be in the zone and hence use the signing key for
> > pip.verisignlabs.com.
> >
> >  -- Dick
> >
> >  _______________________________________________
> >  general mailing list
> >  general at openid.net
> >  http://openid.net/mailman/listinfo/general
> >
> >
> >
>

More information about the general mailing list