[OpenID] OpenID + Certs
Pat Cappelaere
pat at cappelaere.com
Wed Apr 25 01:22:33 UTC 2007
Jim,
Isn't it a true statement that for me to be capable of connecting to an SSL
enabled OpenID provider means that I own the private key?
So as a consumer, I can assume that the user was the valid user of that
certificate at the upload time and I only need to check if the cert has not
been revoked (if stolen), right?
Pat.
> From: Jim Spring <jmspring at gmail.com>
> Date: Tue, 24 Apr 2007 17:47:42 -0700
> To: Pat Cappelaere <pat at cappelaere.com>
> Cc: Dick Hardt <dick at sxip.com>, <general at openid.net>
> Subject: Re: [OpenID] OpenID + Certs
>
> Pat -
>
> I think the idea of including the certificate in with the profile has
> some merits, but
> how do you propose verifying the certificate -- meaning presenting a
> certificate is
> one thing, but it is not useful without the private key -- to verify
> that the user
> presenting the certificate actually is the one it belongs to.
>
> I can see a role in the presence of the certificate as an attribute
> could be an enabler
> for backend/legacy functionality that is PKI enabled (SSL, etc), but
> I haven't seen
> anything that directly allows for a path doing the full X509
> validation along with
> some private key operation.
>
> -jim spring
>
> On Apr 24, 2007, at 5:36 PM, Pat Cappelaere wrote:
>
>> Dick,
>>
>> I am using the term cert as in X.509 certificates being used by major
>> corporations and DoD to identify their users.
>> These certs contain validated user profile information that ought
>> to be
>> available in an OpeniD user profile as an optional attribute at a
>> minimum.
>> How many of them are already out there? Many millions.
>> This ought to be leveraged somehow.
>>
>> Pat.
>>
>>
>>
>>> From: Dick Hardt <dick at sxip.com>
>>> Date: Wed, 25 Apr 2007 00:36:52 +0200
>>> To: Pat Cappelaere <pat at cappelaere.com>
>>> Cc: Hans Granqvist <hgranqvist at verisign.com>, <general at openid.net>
>>> Subject: Re: [OpenID] OpenID + Certs
>>>
>>> Pat
>>>
>>> I think you are confusing people using the term Certificate here.
>>> While a certificate can contain any data, I think of the certs
>>> primarily as being a statement binding an entity to a public key.
>>>
>>> I think you are talking about verified claims, and this is definitely
>>> something that Attribute Exchange is all about.
>>>
>>> We have some demo code where you can get a claim binding your OpenID
>>> to an email address at:
>>>
>>> https://verify.sxip.com/email/.
>>>
>>> The only OP I know of that talks AX at this point is Sxipper.
>>>
>>> -- Dick
>>>
>>> On 24-Apr-07, at 10:14 PM, Pat Cappelaere wrote:
>>>
>>>> Hans,
>>>>
>>>> Not as a distribution mechanism per say, but as a way to get
>>>> access to
>>>> validated information about a user. Corporate personna would be
>>>> encapsulated in the PKI that would not be tampered with by the user
>>>> (like
>>>> any of the other profile attributes which can be altered at will).
>>>> That cert would only be one extra attribute in the profile.
>>>> The user could upload new ones if necessary. I will keep on
>>>> checking at
>>>> every login.
>>>> Otherwise, I can't really tell for sure what the user organization
>>>> is and
>>>> what email is valid.
>>>>
>>>> Does this make more sense?
>>>> Thanks,
>>>> Pat.
>>>>
>>>>
>>>>
>>>>> From: Hans Granqvist <hgranqvist at verisign.com>
>>>>> Date: Tue, 24 Apr 2007 09:07:06 -0700
>>>>> To: Pat Cappelaere <pat at cappelaere.com>
>>>>> Cc: "Recordon, David" <drecordon at verisign.com>,
>>>>> <general at openid.net>
>>>>> Subject: Re: [OpenID] OpenID + Certs
>>>>>
>>>>> Pat Cappelaere wrote:
>>>>>> David,
>>>>>>
>>>>>> This is pretty much what I need today. Could you implement that
>>>>>> on your
>>>>>> OpenID server at Verisign, please? :)
>>>>>> Since it is optional, it would not break anything.
>>>>>> Since Verisign is pretty big in Certificate Management, it might
>>>>>> even make
>>>>>> sense.
>>>>>> Thanks,
>>>>>> Pat.
>>>>>
>>>>> Pat, I'm confused: Do you want to use OpenID attribute exchange as
>>>>> a PKI
>>>>> distribution mechanism?
>>>>>
>>>>> -Hans
>>>>
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general at openid.net
>>>> http://openid.net/mailman/listinfo/general
>>>>
>>>>
>>>
>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>
More information about the general
mailing list