[OpenID] OpenID as a PKI facilitator

Recordon, David drecordon at verisign.com
Sat Apr 7 17:05:36 UTC 2007 

Dick said:
> dick.pip.verisignlabs.com and david.pip.verisignlabs.com would
> be able to be in the zone and hence use the signing key for
> pip.verisignlabs.com. 

As I read that, both dick.pip.verisignlabs.com and
david.pip.verisignlabs.com would be in the same zone and thus be using
the same key.

That is not what I was envisioning, I was seeing
dick.pip.verisignlabs.com and david.pip.verisignlabs.com having to be in
separate zones in order to have separate keys.

DTP is a draft back-channel protocol (basically S/MIME over HTTP) which
proposes key discovery via Yadis.
http://openid.net/specs/openid-service-key-discovery-1_0-01.html

--David

-----Original Message-----
From: Ben Laurie [mailto:benl at google.com] 
Sent: Saturday, April 07, 2007 10:01 AM
To: Recordon, David
Cc: Dick Hardt; OpenID General
Subject: Re: [OpenID] OpenID as a PKI facilitator

On 4/7/07, Recordon, David <drecordon at verisign.com> wrote:
>
>
>
> Ah, now I see our disconnect.  I thought "dick" and "david" had 
> different keys as per the DTP discussion.

Obviously they have different keys. You've lost me. What is DTP?

>
>  --David
>
>
>   -----Original Message-----
>  From:   Dick Hardt [mailto:dick at sxip.com]
>  Sent:   Saturday, April 07, 2007 07:30 AM Pacific Standard Time
>  To:     Ben Laurie
>  Cc:     OpenID General
>  Subject:        Re: [OpenID] OpenID as a PKI facilitator
>
>
>  On 7-Apr-07, at 3:53 AM, Ben Laurie wrote:
>
>  > On 4/7/07, Dick Hardt <dick at sxip.com> wrote:
>  >> Hmmm ... that is not how I understood it worked from talking to  
> >> Ben Laurie.
>  >>
>  >> Ben: would seem pretty heavy if zone file was needed to store a  
> >> key in a  >> record. Is this true?
>  >
>  > No. But nor is that what David said: he said a separate zone was  >

> needed for each signing key. Which is true.
>  >
>  > What I can't figure out from what has been written in this thread 
> what  > exactly you are trying to do, or why it would involve multiple

> signing  > keys - from what I'm reading, you want to publish a key per

> user,  > signed by some authority, which you can do in a single zone. 
> But I'm  > guessing wildly.
>
>  Your guess is what  we were talking about. How do you publish a key  
> for the user, where each user is represented by a different DNS
record.
>
>  dick.pip.verisignlabs.com and david.pip.verisignlabs.com would be  
> able to be in the zone and hence use the signing key for  
> pip.verisignlabs.com.
>
>  -- Dick
>
>  _______________________________________________
>  general mailing list
>  general at openid.net
>  http://openid.net/mailman/listinfo/general
>
>
>

More information about the general mailing list