[OpenID] OpenID + Certs

Pat Cappelaere pat at cappelaere.com
Wed Apr 25 01:22:33 UTC 2007


Jim,

Isn't it a true statement that for me to be capable of connecting to an SSL
enabled OpenID provider means that I own the private key?

So as a consumer, I can assume that the user was the valid user of that
certificate at the upload time and I only need to check if the cert has not
been revoked (if stolen), right?

Pat.


> From: Jim Spring <jmspring at gmail.com>
> Date: Tue, 24 Apr 2007 17:47:42 -0700
> To: Pat Cappelaere <pat at cappelaere.com>
> Cc: Dick Hardt <dick at sxip.com>, <general at openid.net>
> Subject: Re: [OpenID] OpenID + Certs
> 
> Pat -
> 
> I think the idea of including the certificate in with the profile has
> some merits, but
> how do you propose verifying the certificate -- meaning presenting a
> certificate is
> one thing, but it is not useful without the private key -- to verify
> that the user
> presenting the certificate actually is the one it belongs to.
> 
> I can see a role in the presence of the certificate as an attribute
> could be an enabler
> for backend/legacy functionality that is PKI enabled (SSL, etc), but
> I haven't seen
> anything that directly allows for a path doing the full X509
> validation along with
> some private key operation.
> 
> -jim spring
> 
> On Apr 24, 2007, at 5:36 PM, Pat Cappelaere wrote:
> 
>> Dick,
>> 
>> I am using the term cert as in X.509 certificates being used by major
>> corporations and DoD to identify their users.
>> These certs contain validated user profile information that ought
>> to be
>> available in an OpeniD user profile as an optional attribute at a
>> minimum.
>> How many of them are already out there? Many millions.
>> This ought to be leveraged somehow.
>> 
>> Pat.
>> 
>> 
>> 
>>> From: Dick Hardt <dick at sxip.com>
>>> Date: Wed, 25 Apr 2007 00:36:52 +0200
>>> To: Pat Cappelaere <pat at cappelaere.com>
>>> Cc: Hans Granqvist <hgranqvist at verisign.com>, <general at openid.net>
>>> Subject: Re: [OpenID] OpenID + Certs
>>> 
>>> Pat
>>> 
>>> I think you are confusing people using the term Certificate here.
>>> While a certificate can contain any data, I think of the certs
>>> primarily as being a statement binding an entity to a public key.
>>> 
>>> I think you are talking about verified claims, and this is definitely
>>> something that Attribute Exchange is all about.
>>> 
>>> We have some demo code where you can get a claim binding your OpenID
>>> to an email address at:
>>> 
>>> https://verify.sxip.com/email/.
>>> 
>>> The only OP I know of that talks AX at this point is Sxipper.
>>> 
>>> -- Dick
>>> 
>>> On 24-Apr-07, at 10:14 PM, Pat Cappelaere wrote:
>>> 
>>>> Hans,
>>>> 
>>>> Not as a distribution mechanism per say, but as a way to get
>>>> access to
>>>> validated information about a user.  Corporate personna would be
>>>> encapsulated in the PKI that would not be tampered with by the user
>>>> (like
>>>> any of the other profile attributes which can be altered at will).
>>>> That cert would only be one extra attribute in the profile.
>>>> The user could upload new ones if necessary.  I will keep on
>>>> checking at
>>>> every login.
>>>> Otherwise, I can't really tell for sure what the user organization
>>>> is and
>>>> what email is valid.
>>>> 
>>>> Does this make more sense?
>>>> Thanks,
>>>> Pat.
>>>> 
>>>> 
>>>> 
>>>>> From: Hans Granqvist <hgranqvist at verisign.com>
>>>>> Date: Tue, 24 Apr 2007 09:07:06 -0700
>>>>> To: Pat Cappelaere <pat at cappelaere.com>
>>>>> Cc: "Recordon, David" <drecordon at verisign.com>,
>>>>> <general at openid.net>
>>>>> Subject: Re: [OpenID] OpenID + Certs
>>>>> 
>>>>> Pat Cappelaere wrote:
>>>>>> David,
>>>>>> 
>>>>>> This is pretty much what I need today.  Could you implement that
>>>>>> on your
>>>>>> OpenID server at Verisign, please? :)
>>>>>> Since it is optional, it would not break anything.
>>>>>> Since Verisign is pretty big in Certificate Management, it might
>>>>>> even make
>>>>>> sense.
>>>>>> Thanks,
>>>>>> Pat.
>>>>> 
>>>>> Pat, I'm confused: Do you want to use OpenID attribute exchange as
>>>>> a PKI
>>>>> distribution mechanism?
>>>>> 
>>>>> -Hans
>>>> 
>>>> 
>>>> _______________________________________________
>>>> general mailing list
>>>> general at openid.net
>>>> http://openid.net/mailman/listinfo/general
>>>> 
>>>> 
>>> 
>> 
>> 
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
> 





More information about the general mailing list