[OpenID] OpenID as a PKI facilitator

Recordon, David drecordon at verisign.com
Sat Apr 7 17:38:09 UTC 2007 

So then where are we placing the user's key?  I thought what was being
proposed was using the signing key as the user's public key.  Seems this
isn't the case, so then is the user's key going in as a DNS record (and
then in what format)?

--David 

-----Original Message-----
From: Ben Laurie [mailto:benl at google.com] 
Sent: Saturday, April 07, 2007 10:13 AM
To: Recordon, David
Cc: Dick Hardt; OpenID General
Subject: Re: [OpenID] OpenID as a PKI facilitator

On 4/7/07, Recordon, David <drecordon at verisign.com> wrote:
> Dick said:
> > dick.pip.verisignlabs.com and david.pip.verisignlabs.com would be 
> > able to be in the zone and hence use the signing key for 
> > pip.verisignlabs.com.
>
> As I read that, both dick.pip.verisignlabs.com and 
> david.pip.verisignlabs.com would be in the same zone and thus be using

> the same key.

What? There's no need for them to be using the same key if they're in
the same zone. The key that is the same is the one that signs their
records, i.e. the zone key.

> That is not what I was envisioning, I was seeing 
> dick.pip.verisignlabs.com and david.pip.verisignlabs.com having to be 
> in separate zones in order to have separate keys.
>
> DTP is a draft back-channel protocol (basically S/MIME over HTTP) 
> which proposes key discovery via Yadis.
> http://openid.net/specs/openid-service-key-discovery-1_0-01.html
>
> --David
>
> -----Original Message-----
> From: Ben Laurie [mailto:benl at google.com]
> Sent: Saturday, April 07, 2007 10:01 AM
> To: Recordon, David
> Cc: Dick Hardt; OpenID General
> Subject: Re: [OpenID] OpenID as a PKI facilitator
>
> On 4/7/07, Recordon, David <drecordon at verisign.com> wrote:
> >
> >
> >
> > Ah, now I see our disconnect.  I thought "dick" and "david" had 
> > different keys as per the DTP discussion.
>
> Obviously they have different keys. You've lost me. What is DTP?
>
> >
> >  --David
> >
> >
> >   -----Original Message-----
> >  From:   Dick Hardt [mailto:dick at sxip.com]
> >  Sent:   Saturday, April 07, 2007 07:30 AM Pacific Standard Time
> >  To:     Ben Laurie
> >  Cc:     OpenID General
> >  Subject:        Re: [OpenID] OpenID as a PKI facilitator
> >
> >
> >  On 7-Apr-07, at 3:53 AM, Ben Laurie wrote:
> >
> >  > On 4/7/07, Dick Hardt <dick at sxip.com> wrote:
> >  >> Hmmm ... that is not how I understood it worked from talking to
> > >> Ben Laurie.
> >  >>
> >  >> Ben: would seem pretty heavy if zone file was needed to store a
> > >> key in a  >> record. Is this true?
> >  >
> >  > No. But nor is that what David said: he said a separate zone was

> > >
>
> > needed for each signing key. Which is true.
> >  >
> >  > What I can't figure out from what has been written in this thread

> > what  > exactly you are trying to do, or why it would involve 
> > multiple
>
> > signing  > keys - from what I'm reading, you want to publish a key 
> > per
>
> > user,  > signed by some authority, which you can do in a single
zone.
> > But I'm  > guessing wildly.
> >
> >  Your guess is what  we were talking about. How do you publish a key

> > for the user, where each user is represented by a different DNS
> record.
> >
> >  dick.pip.verisignlabs.com and david.pip.verisignlabs.com would be 
> > able to be in the zone and hence use the signing key for 
> > pip.verisignlabs.com.
> >
> >  -- Dick
> >
> >  _______________________________________________
> >  general mailing list
> >  general at openid.net
> >  http://openid.net/mailman/listinfo/general
> >
> >
> >
>

More information about the general mailing list