Key Discovery In DTP Draft 3

Drummond Reed drummond.reed at cordance.net
Fri Jan 5 06:53:34 UTC 2007


That could work. Very XDI RDF-like approach, i.e., the URL/XRI being
resolved is the Subject, the URL/XRI value of the Type element is the RDF
predicate, and the value of the data sharing:KeyInfo element is the RDF
object (in this case a literal).

=Drummond 

-----Original Message-----
From: Recordon, David [mailto:drecordon at verisign.com] 
Sent: Thursday, January 04, 2007 10:35 PM
To: Drummond Reed; Carl Howells; Grant Monroe
Cc: specs at openid.net
Subject: RE: Key Discovery In DTP Draft 3

Oooh, interesting...

So looking at working draft 10
http://www.oasis-open.org/committees/download.php/17293 it seems that
3.2.5 is most relevant in that it describes
xrd:XRD/xrd:Service/ds:KeyInfo which seems to be where in the schema the
key would want to sit.  The only thing is that 3.2.5 is talking about
having the key present to verify a signature on the XRD file itself,
though in this case it may not actually be signed.

What I was toying with was something along the lines of:
<Service>
 
<Type>http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/#sec-KeyInfo</
Type>
  <ds:KeyInfo>
    ...
  </ds:KeyInfo>
</Service>

Thus it makes it easy for existing Yadis libraries to pick the key out
by the Type element.

--David

-----Original Message-----
From: Drummond Reed [mailto:drummond.reed at cordance.net] 
Sent: Thursday, January 04, 2007 10:23 PM
To: Recordon, David; 'Carl Howells'; 'Grant Monroe'
Cc: specs at openid.net
Subject: RE: Key Discovery In DTP Draft 3

Just FYI, the xmldsig KeyInfo element is already part of the XRD schema
because the XRI Resolution spec uses it in the SAML form of trusted XRI
resolution. And either the SAML form or the HTTPS form of XRI trusted
res can give you the security characteristics in the Key Discovery spec.

That said, there can be advantages to managing the cert via an
independent service.

So I'm not coming down on either side (yet ;-)

=Drummond 

-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
Behalf Of Recordon, David
Sent: Thursday, January 04, 2007 10:07 PM
To: Carl Howells; Grant Monroe
Cc: specs at openid.net
Subject: Key Discovery In DTP Draft 3

Hey guys,
Was looking at
http://openid.net/specs/openid-service-key-discovery-1_0-01.html tonight
and curious why the decision was made to define the <PublicKey />
element which contains a link to the RSA key or X.509 certificate versus
embedding the key in the XRDS file?

>From the research I've done tonight, it looks like the W3C in 2002
described how to do this as part of xmldsig.  Seems like we can just use
the <KeyInfo> element.
http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/#sec-KeyInfo
They've also then recently put out a note describing the changes to that
document to match XML in 2006.
http://www.w3.org/TR/2006/NOTE-DSig-usage-20061220/

Is there something that I'm missing from the design standpoint as to why
this wasn't done?  If anything, it seems like it would reduce a fetch if
the key was in the XRDS file itself.

--David
_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs





More information about the specs mailing list