[OpenID] OpenID + Certs

Dick Hardt dick at sxip.com
Wed Apr 25 04:31:42 UTC 2007


Hi Pat

Thanks for clarifying.

Personally, I think this overloading of the X.509 cert to be used for  
proving both that I am a particular entity as well as asserting facts  
about me is why PKI is not more widely deployed. From what I have  
learned talking to the DoD, the utilization and "trust" of this other  
data is nominal.

-- Dick

On 25-Apr-07, at 2:36 AM, Pat Cappelaere wrote:

> Dick,
>
> I am using the term cert as in X.509 certificates being used by major
> corporations and DoD to identify their users.
> These certs contain validated user profile information that ought  
> to be
> available in an OpeniD user profile as an optional attribute at a  
> minimum.
> How many of them are already out there? Many millions.
> This ought to be leveraged somehow.
>
> Pat.
>
>
>
>> From: Dick Hardt <dick at sxip.com>
>> Date: Wed, 25 Apr 2007 00:36:52 +0200
>> To: Pat Cappelaere <pat at cappelaere.com>
>> Cc: Hans Granqvist <hgranqvist at verisign.com>, <general at openid.net>
>> Subject: Re: [OpenID] OpenID + Certs
>>
>> Pat
>>
>> I think you are confusing people using the term Certificate here.
>> While a certificate can contain any data, I think of the certs
>> primarily as being a statement binding an entity to a public key.
>>
>> I think you are talking about verified claims, and this is definitely
>> something that Attribute Exchange is all about.
>>
>> We have some demo code where you can get a claim binding your OpenID
>> to an email address at:
>>
>> https://verify.sxip.com/email/.
>>
>> The only OP I know of that talks AX at this point is Sxipper.
>>
>> -- Dick
>>
>> On 24-Apr-07, at 10:14 PM, Pat Cappelaere wrote:
>>
>>> Hans,
>>>
>>> Not as a distribution mechanism per say, but as a way to get  
>>> access to
>>> validated information about a user.  Corporate personna would be
>>> encapsulated in the PKI that would not be tampered with by the user
>>> (like
>>> any of the other profile attributes which can be altered at will).
>>> That cert would only be one extra attribute in the profile.
>>> The user could upload new ones if necessary.  I will keep on
>>> checking at
>>> every login.
>>> Otherwise, I can't really tell for sure what the user organization
>>> is and
>>> what email is valid.
>>>
>>> Does this make more sense?
>>> Thanks,
>>> Pat.
>>>
>>>
>>>
>>>> From: Hans Granqvist <hgranqvist at verisign.com>
>>>> Date: Tue, 24 Apr 2007 09:07:06 -0700
>>>> To: Pat Cappelaere <pat at cappelaere.com>
>>>> Cc: "Recordon, David" <drecordon at verisign.com>,  
>>>> <general at openid.net>
>>>> Subject: Re: [OpenID] OpenID + Certs
>>>>
>>>> Pat Cappelaere wrote:
>>>>> David,
>>>>>
>>>>> This is pretty much what I need today.  Could you implement that
>>>>> on your
>>>>> OpenID server at Verisign, please? :)
>>>>> Since it is optional, it would not break anything.
>>>>> Since Verisign is pretty big in Certificate Management, it might
>>>>> even make
>>>>> sense.
>>>>> Thanks,
>>>>> Pat.
>>>>
>>>> Pat, I'm confused: Do you want to use OpenID attribute exchange as
>>>> a PKI
>>>> distribution mechanism?
>>>>
>>>> -Hans
>>>
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>>
>>>
>>
>
>
>




More information about the general mailing list