Key Discovery In DTP Draft 3

Drummond Reed drummond.reed at cordance.net
Fri Jan 5 06:22:45 UTC 2007


Just FYI, the xmldsig KeyInfo element is already part of the XRD schema
because the XRI Resolution spec uses it in the SAML form of trusted XRI
resolution. And either the SAML form or the HTTPS form of XRI trusted res
can give you the security characteristics in the Key Discovery spec.

That said, there can be advantages to managing the cert via an independent
service.

So I'm not coming down on either side (yet ;-)

=Drummond 

-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
Of Recordon, David
Sent: Thursday, January 04, 2007 10:07 PM
To: Carl Howells; Grant Monroe
Cc: specs at openid.net
Subject: Key Discovery In DTP Draft 3

Hey guys,
Was looking at
http://openid.net/specs/openid-service-key-discovery-1_0-01.html tonight
and curious why the decision was made to define the <PublicKey />
element which contains a link to the RSA key or X.509 certificate versus
embedding the key in the XRDS file?

>From the research I've done tonight, it looks like the W3C in 2002
described how to do this as part of xmldsig.  Seems like we can just use
the <KeyInfo> element.
http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/#sec-KeyInfo
They've also then recently put out a note describing the changes to that
document to match XML in 2006.
http://www.w3.org/TR/2006/NOTE-DSig-usage-20061220/

Is there something that I'm missing from the design standpoint as to why
this wasn't done?  If anything, it seems like it would reduce a fetch if
the key was in the XRDS file itself.

--David
_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs




More information about the specs mailing list