[OpenID] OpenID as a PKI facilitator

Anders Feder lists.anders at feder.dk
Fri Apr 6 17:36:57 UTC 2007 

I'm fairly new to this list, so please bear with me if this subject is 
already well-understood.

It's my humble contention, completely without grounding in documented 
research, that PKI has failed to proliferate as the standard platform 
for electronic communication for two reasons:

1. The incentive to acquire a personal public key is weak. The user must 
actively seek out PKI solutions in order to have a key pair generated, 
and the fact of the matter is that the vast majority of users don't even 
know what a public key is. Even if the user does manage to acquire a 
public key, he will have little use for it since most of his peers 
wouldn't know what to do with it.
2. There is no standard way of retrieving the public key of a recipient 
user, quite simply because the user is poorly defined outside of the PKI 
- a retrieving agent wouldn't know where to look.

OpenID has the potential to solve both of these problems:

1. As OpenID is adopted across the Web, most users are likely to acquire 
an OpenID identifier. If every OP in addition help the user generate a 
PKI keypair, the issue of public key proliferation is solved.
2. OpenID identifiers are URL's, which, by definition, happens to 
identify a resource for which retrieval is well-defined. OpenID, on the 
other hand, defines how such a resource is unambiguously associated with 
a user. If the user's public key is stored together with the OpenID 
resource, the issue of public key retrieval is solved.

In other words, OpenID could be the final building block in the 
establishment of a global PKI. A global PKI, in turn, would have a 
far-reaching impact on IT in general and information security in 
particular. Exploiting this potential would require a standard protocol 
for public key retrieval upon an OpenID identifier.

* Is there any interest in the community to establish such a standard?
* Has any work already been done to this end?
* Or have there been other efforts to couple OpenID and PKI?
* Other thoughts?

Regards,
Anders Feder

More information about the general mailing list