[OpenID] OpenID as a PKI facilitator

Ben Laurie benl at google.com
Sat Apr 7 17:45:31 UTC 2007


On 4/7/07, Recordon, David <drecordon at verisign.com> wrote:
> So then where are we placing the user's key?  I thought what was being
> proposed was using the signing key as the user's public key.  Seems this
> isn't the case, so then is the user's key going in as a DNS record (and
> then in what format)?

http://www.ietf.org/rfc/rfc4398.txt

>
> --David
>
> -----Original Message-----
> From: Ben Laurie [mailto:benl at google.com]
> Sent: Saturday, April 07, 2007 10:13 AM
> To: Recordon, David
> Cc: Dick Hardt; OpenID General
> Subject: Re: [OpenID] OpenID as a PKI facilitator
>
> On 4/7/07, Recordon, David <drecordon at verisign.com> wrote:
> > Dick said:
> > > dick.pip.verisignlabs.com and david.pip.verisignlabs.com would be
> > > able to be in the zone and hence use the signing key for
> > > pip.verisignlabs.com.
> >
> > As I read that, both dick.pip.verisignlabs.com and
> > david.pip.verisignlabs.com would be in the same zone and thus be using
>
> > the same key.
>
> What? There's no need for them to be using the same key if they're in
> the same zone. The key that is the same is the one that signs their
> records, i.e. the zone key.
>
> > That is not what I was envisioning, I was seeing
> > dick.pip.verisignlabs.com and david.pip.verisignlabs.com having to be
> > in separate zones in order to have separate keys.
> >
> > DTP is a draft back-channel protocol (basically S/MIME over HTTP)
> > which proposes key discovery via Yadis.
> > http://openid.net/specs/openid-service-key-discovery-1_0-01.html
> >
> > --David
> >
> > -----Original Message-----
> > From: Ben Laurie [mailto:benl at google.com]
> > Sent: Saturday, April 07, 2007 10:01 AM
> > To: Recordon, David
> > Cc: Dick Hardt; OpenID General
> > Subject: Re: [OpenID] OpenID as a PKI facilitator
> >
> > On 4/7/07, Recordon, David <drecordon at verisign.com> wrote:
> > >
> > >
> > >
> > > Ah, now I see our disconnect.  I thought "dick" and "david" had
> > > different keys as per the DTP discussion.
> >
> > Obviously they have different keys. You've lost me. What is DTP?
> >
> > >
> > >  --David
> > >
> > >
> > >   -----Original Message-----
> > >  From:   Dick Hardt [mailto:dick at sxip.com]
> > >  Sent:   Saturday, April 07, 2007 07:30 AM Pacific Standard Time
> > >  To:     Ben Laurie
> > >  Cc:     OpenID General
> > >  Subject:        Re: [OpenID] OpenID as a PKI facilitator
> > >
> > >
> > >  On 7-Apr-07, at 3:53 AM, Ben Laurie wrote:
> > >
> > >  > On 4/7/07, Dick Hardt <dick at sxip.com> wrote:
> > >  >> Hmmm ... that is not how I understood it worked from talking to
> > > >> Ben Laurie.
> > >  >>
> > >  >> Ben: would seem pretty heavy if zone file was needed to store a
> > > >> key in a  >> record. Is this true?
> > >  >
> > >  > No. But nor is that what David said: he said a separate zone was
>
> > > >
> >
> > > needed for each signing key. Which is true.
> > >  >
> > >  > What I can't figure out from what has been written in this thread
>
> > > what  > exactly you are trying to do, or why it would involve
> > > multiple
> >
> > > signing  > keys - from what I'm reading, you want to publish a key
> > > per
> >
> > > user,  > signed by some authority, which you can do in a single
> zone.
> > > But I'm  > guessing wildly.
> > >
> > >  Your guess is what  we were talking about. How do you publish a key
>
> > > for the user, where each user is represented by a different DNS
> > record.
> > >
> > >  dick.pip.verisignlabs.com and david.pip.verisignlabs.com would be
> > > able to be in the zone and hence use the signing key for
> > > pip.verisignlabs.com.
> > >
> > >  -- Dick
> > >
> > >  _______________________________________________
> > >  general mailing list
> > >  general at openid.net
> > >  http://openid.net/mailman/listinfo/general
> > >
> > >
> > >
> >
>



More information about the general mailing list