[OpenID] OpenID as a PKI facilitator
Ben Laurie
benl at google.com
Sat Apr 7 17:45:31 UTC 2007
On 4/7/07, Recordon, David <drecordon at verisign.com> wrote:
> So then where are we placing the user's key? I thought what was being
> proposed was using the signing key as the user's public key. Seems this
> isn't the case, so then is the user's key going in as a DNS record (and
> then in what format)?
http://www.ietf.org/rfc/rfc4398.txt
>
> --David
>
> -----Original Message-----
> From: Ben Laurie [mailto:benl at google.com]
> Sent: Saturday, April 07, 2007 10:13 AM
> To: Recordon, David
> Cc: Dick Hardt; OpenID General
> Subject: Re: [OpenID] OpenID as a PKI facilitator
>
> On 4/7/07, Recordon, David <drecordon at verisign.com> wrote:
> > Dick said:
> > > dick.pip.verisignlabs.com and david.pip.verisignlabs.com would be
> > > able to be in the zone and hence use the signing key for
> > > pip.verisignlabs.com.
> >
> > As I read that, both dick.pip.verisignlabs.com and
> > david.pip.verisignlabs.com would be in the same zone and thus be using
>
> > the same key.
>
> What? There's no need for them to be using the same key if they're in
> the same zone. The key that is the same is the one that signs their
> records, i.e. the zone key.
>
> > That is not what I was envisioning, I was seeing
> > dick.pip.verisignlabs.com and david.pip.verisignlabs.com having to be
> > in separate zones in order to have separate keys.
> >
> > DTP is a draft back-channel protocol (basically S/MIME over HTTP)
> > which proposes key discovery via Yadis.
> > http://openid.net/specs/openid-service-key-discovery-1_0-01.html
> >
> > --David
> >
> > -----Original Message-----
> > From: Ben Laurie [mailto:benl at google.com]
> > Sent: Saturday, April 07, 2007 10:01 AM
> > To: Recordon, David
> > Cc: Dick Hardt; OpenID General
> > Subject: Re: [OpenID] OpenID as a PKI facilitator
> >
> > On 4/7/07, Recordon, David <drecordon at verisign.com> wrote:
> > >
> > >
> > >
> > > Ah, now I see our disconnect. I thought "dick" and "david" had
> > > different keys as per the DTP discussion.
> >
> > Obviously they have different keys. You've lost me. What is DTP?
> >
> > >
> > > --David
> > >
> > >
> > > -----Original Message-----
> > > From: Dick Hardt [mailto:dick at sxip.com]
> > > Sent: Saturday, April 07, 2007 07:30 AM Pacific Standard Time
> > > To: Ben Laurie
> > > Cc: OpenID General
> > > Subject: Re: [OpenID] OpenID as a PKI facilitator
> > >
> > >
> > > On 7-Apr-07, at 3:53 AM, Ben Laurie wrote:
> > >
> > > > On 4/7/07, Dick Hardt <dick at sxip.com> wrote:
> > > >> Hmmm ... that is not how I understood it worked from talking to
> > > >> Ben Laurie.
> > > >>
> > > >> Ben: would seem pretty heavy if zone file was needed to store a
> > > >> key in a >> record. Is this true?
> > > >
> > > > No. But nor is that what David said: he said a separate zone was
>
> > > >
> >
> > > needed for each signing key. Which is true.
> > > >
> > > > What I can't figure out from what has been written in this thread
>
> > > what > exactly you are trying to do, or why it would involve
> > > multiple
> >
> > > signing > keys - from what I'm reading, you want to publish a key
> > > per
> >
> > > user, > signed by some authority, which you can do in a single
> zone.
> > > But I'm > guessing wildly.
> > >
> > > Your guess is what we were talking about. How do you publish a key
>
> > > for the user, where each user is represented by a different DNS
> > record.
> > >
> > > dick.pip.verisignlabs.com and david.pip.verisignlabs.com would be
> > > able to be in the zone and hence use the signing key for
> > > pip.verisignlabs.com.
> > >
> > > -- Dick
> > >
> > > _______________________________________________
> > > general mailing list
> > > general at openid.net
> > > http://openid.net/mailman/listinfo/general
> > >
> > >
> > >
> >
>
More information about the general
mailing list