Key Discovery In DTP Draft 3

Drummond Reed drummond.reed at
Fri Jan 5 06:53:34 UTC 2007

That could work. Very XDI RDF-like approach, i.e., the URL/XRI being
resolved is the Subject, the URL/XRI value of the Type element is the RDF
predicate, and the value of the data sharing:KeyInfo element is the RDF
object (in this case a literal).


-----Original Message-----
From: Recordon, David [mailto:drecordon at] 
Sent: Thursday, January 04, 2007 10:35 PM
To: Drummond Reed; Carl Howells; Grant Monroe
Cc: specs at
Subject: RE: Key Discovery In DTP Draft 3

Oooh, interesting...

So looking at working draft 10 it seems that
3.2.5 is most relevant in that it describes
xrd:XRD/xrd:Service/ds:KeyInfo which seems to be where in the schema the
key would want to sit.  The only thing is that 3.2.5 is talking about
having the key present to verify a signature on the XRD file itself,
though in this case it may not actually be signed.

What I was toying with was something along the lines of:

Thus it makes it easy for existing Yadis libraries to pick the key out
by the Type element.


-----Original Message-----
From: Drummond Reed [mailto:drummond.reed at] 
Sent: Thursday, January 04, 2007 10:23 PM
To: Recordon, David; 'Carl Howells'; 'Grant Monroe'
Cc: specs at
Subject: RE: Key Discovery In DTP Draft 3

Just FYI, the xmldsig KeyInfo element is already part of the XRD schema
because the XRI Resolution spec uses it in the SAML form of trusted XRI
resolution. And either the SAML form or the HTTPS form of XRI trusted
res can give you the security characteristics in the Key Discovery spec.

That said, there can be advantages to managing the cert via an
independent service.

So I'm not coming down on either side (yet ;-)


-----Original Message-----
From: specs-bounces at [mailto:specs-bounces at] On
Behalf Of Recordon, David
Sent: Thursday, January 04, 2007 10:07 PM
To: Carl Howells; Grant Monroe
Cc: specs at
Subject: Key Discovery In DTP Draft 3

Hey guys,
Was looking at tonight
and curious why the decision was made to define the <PublicKey />
element which contains a link to the RSA key or X.509 certificate versus
embedding the key in the XRDS file?

>From the research I've done tonight, it looks like the W3C in 2002
described how to do this as part of xmldsig.  Seems like we can just use
the <KeyInfo> element.
They've also then recently put out a note describing the changes to that
document to match XML in 2006.

Is there something that I'm missing from the design standpoint as to why
this wasn't done?  If anything, it seems like it would reduce a fetch if
the key was in the XRDS file itself.

specs mailing list
specs at

More information about the specs mailing list