[Specs-cx] Binding X.509 subject to /Contract/Party/@id
Nat Sakimura
sakimura at gmail.com
Thu Apr 22 05:47:04 UTC 2010
We can sign the existing XRDS with XML DSig as well.
XRD is not yet in use so just in case.
As to the trust framework, we can just state that the trust circle should
decide the specifics, but one should check the claimed_id against
Subject or Subject AltName etc., AND cert usage AND crl, etc.
=nat
On Thu, Apr 22, 2010 at 2:15 PM, nara hideki <hdknr at ic-tact.co.jp> wrote:
> Thank you again David.
> I should look at the XRD signature.
>
> Thanks!
> ---
> hdknr
>
> 2010/4/20 David García <david.garcia at tractis.com>:
> > Hi Nara,
> >
> > in my opinion maybe the best option is signing XRD.
> >
> > This way you will have a proof of possession of the certificate by the
> party
> > offering XRD prior of starting contract exchange.
> >
> > I've been cheking XRD signature and they're quite aligned with some
> > questions we discussed before, like restrictions over signing
> certificate's
> > key usage. Furthermore they define with some detail signature validation
> > process.
> >
> > Best regards!
> >
> > Dave
> >
> > 2010/4/20 nara hideki <hdknr at ic-tact.co.jp>
> >>
> >> Hi, experts.
> >>
> >> I think that there should be rules for binding X.509 subject used to
> >> sign a contract to /Contract/Party/@id.
> >>
> >> Two ways came to my mind :
> >>
> >> 1. XRD/XRDS discovered for /Contract/Party/@id MUST be signed with
> >> same certificate used to sign contracts.
> >> 2. X.509 should be has a property for the Party/@id.
> >>
> >> There could be more or better ones.
> >>
> >> Any idea welcome.
> >>
> >> Thanks.
> >> ---
> >> hdknr
> >> _______________________________________________
> >> Specs-cx mailing list
> >> Specs-cx at lists.openid.net
> >> http://lists.openid.net/mailman/listinfo/openid-specs-cx
> >
> >
> >
> > --
> > David Garcia
> > CTO
> > Tractis - Online contracts you can enforce
> > http://www.tractis.com
> > --
> > Email: david.garcia at tractis.com
> > Skype: deiffbcn
> > Blog: http://blog.negonation.com
> > Linkedin: http://www.linkedin.com/in/davebcn
> >
> >
> >
> _______________________________________________
> Specs-cx mailing list
> Specs-cx at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-cx
>
--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
http://twitter.com/_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-cx/attachments/20100422/672a19fa/attachment.htm>
More information about the Specs-cx
mailing list