Server-to-server channel

Douglas Otis dotis at mail-abuse.org
Wed Apr 4 19:43:02 UTC 2007


On Apr 4, 2007, at 11:44 AM, Vinay Gupta wrote:

> On Apr 4, 2007, at 6:13 PM, Douglas Otis wrote:
>> There could be keys used to authorize some other automated  
>> service, or to act as a replacement for OpenID once the key has  
>> been established.  One might be defined for email, IM, VoIP, etc.
>
> It's not the public key management in a scheme like this that  
> concerns me...
>
> Two issues: private key management - are the keys scattered, like  
> your VOIP key lives in Gizmo, and your SSH key lives in your .ssh,  
> and so on? Or do we by logical extension begin to impose some order  
> here and have one key pair per person... you see where this goes,  
> right?

Related services that can be enabled by using OpenID as a key  
distribution scheme.  Keys would need to relate to services handled  
by the consumer or RP.  A sub-attribute could help facilitate correct  
placement of the keys and to allow different keys for different  
purposes.

> Secondly X509 certificates are very, very broken in terms of  
> delegation semantics and certification semantics (at least in many  
> people's eyes, mine included.)
>
> So.. SPKI?
>
> (yes, I've been over this territory.... and that's pretty much what  
> I'm doing here.)

How these keys are handled internally could be left to the consumer  
or RP.  Either the OpenID server or the Consumer or RP could fashion  
their own certs based upon this information where it is administered  
and integrated with other services.   The individual end-user would  
only need to submit their set of public keys for this to become  
possible.

-Doug





More information about the specs mailing list