[OpenID] 2-Headed OpenID Auth for Increased Security?

Ben Laurie benl at google.com
Mon Dec 1 16:54:26 UTC 2008 

On Mon, Dec 1, 2008 at 4:11 PM, Nat Sakimura <sakimura at gmail.com> wrote:

> FYI, see
> http://wiki.oasis-open.org/xri/XrdOne/SimpleSign
>

I have no idea why that proposes to use OAuth encoding for the signature.
Why not simply sign the document as is?

It also doesn't talk at all about how one gets to trust the signing cert or
who should sign what.

<http://wiki.oasis-open.org/xri/XrdOne/SimpleSign>
>
> =nat
>
> On Mon, Dec 1, 2008 at 10:41 PM, Ben Laurie <benl at google.com> wrote:
>
>>
>>
>> On Mon, Dec 1, 2008 at 1:23 PM, Peter Williams <pwilliams at rapattoni.com>wrote:
>>
>>> Xrd or xrds?
>>
>>
>> XRD.
>>
>>
>>> Interesting! if you go xrd. Then you can do dnssec-like namespace
>>> controls, much like the trusted resolution mode of xri.
>>
>>
>> Not yet all that familar with fully blown XRD, so I'll have to take your
>> word for this - but I am familiar with DNSSEC, so I'm wondering what you
>> mean by a "namespace control"?
>>
>>
>>> Rather than be dnssec static, however, signatures on xrd could also serve
>>> as security tokens, citable on the peer (web) services ("managed" by the
>>> xri/uri). Butler lampson will be in heaven.
>>>
>>> ________________________________
>>> From: Ben Laurie <benl at google.com>
>>> Sent: Monday, December 01, 2008 5:13 AM
>>> To: Peter Williams <pwilliams at rapattoni.com>
>>> Cc: Eric Norman <ejnorman at doit.wisc.edu>; OpenID List <
>>> general at openid.net>
>>> Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased Security?
>>>
>>>
>>>
>>> On Sun, Nov 30, 2008 at 5:56 PM, Peter Williams <pwilliams at rapattoni.com
>>> <mailto:pwilliams at rapattoni.com>> wrote:
>>> Time to take the extension power of XRDS, and apply xmldsig "detached
>>> signature(s)"
>>>
>>> Signing XRD is pretty much what we're proposing for the next
>>> generation...
>>>
>>>
>>>
>>> This would be using similar mechanism as used in Authenticode, where
>>> designers applied 3rd-party countersigning and 4th-party timestamping to
>>> solve validity problems - at internet scale. Different parties (OP,
>>> discovery agents, validation) can then cooperate, in the inherently
>>> suspicious world of open systems.
>>>
>>> The Shib/Apache-xmltooling toolset has all the mechanisms required to
>>> make power-use of the flexibility of the xmldsig standard (as do many other
>>> tools). Being very, very flexible in its references, it's easy to screw up
>>> application of xmldsig, producing unwanted sideeffects tho.
>>>
>>> -----Original Message-----
>>> From: general-bounces at openid.net<mailto:general-bounces at openid.net>
>>> [mailto:general-bounces at openid.net<mailto:general-bounces at openid.net>]
>>> On Behalf Of Eric Norman
>>> Sent: Sunday, November 30, 2008 9:50 AM
>>> To: OpenID List
>>> Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased Security?
>>>
>>>
>>> On Nov 30, 2008, at 9:35 AM, Andrew Arnott wrote:
>>>
>>> > I like the idea.... but the XRDS would have to mandatorily not be
>>> > hosted by either OP (which right now is commonly done), since that OP
>>> > would still ultimately have total assertion power by temporarily
>>> > manipulating the XRDS file to point to two OP endpoints that were both
>>> > controlled by the evil party.
>>>
>>> Be careful.  "Hosted by" does not necessarily imply "content
>>> controlled by".
>>>
>>> Eric Norman
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net<mailto:general at openid.net>
>>> http://openid.net/mailman/listinfo/general
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net<mailto:general at openid.net>
>>> http://openid.net/mailman/listinfo/general
>>>
>>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>>
>
>
> --
> Nat Sakimura (=nat)
> http://www.sakimura.org/en/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081201/3baafe45/attachment-0002.htm>

More information about the general mailing list