[OpenID] OpenID + Certs
Pat Cappelaere
pat at cappelaere.com
Mon Apr 23 18:38:58 UTC 2007
Terry,
Why would the openid be included in the certificate? I cannot care less
about the openid itself. It is just a user handle.
I may decide to validate the cert myself (or not) depending on my
application.
Since the provider has that certificate and user says ok, then I could
really use it. Why not?
Pat.
From: <thayes0993 at aol.com>
Date: Mon, 23 Apr 2007 13:43:48 -0400
To: <pat at cappelaere.com>, <general at openid.net>
Subject: Re: [OpenID] OpenID + Certs
In order to get the result that you want, the OpenID of the user will have
to be included in the certificate. Is this typical among the OPs that are
using certificates?
The RP would have to check that the OpenID asserted by the OP is also bound
by the certificate to the organization. Note that the OpenID referred to
here is the one claimed by the user, not the delegated id that the OpenID
provider actually deals with.
Use of the certificate in this way is more like attribute certificates than
it is a regular public-key binding.
Terry
-----Original Message-----
From: Pat Cappelaere <pat at cappelaere.com>
To: general at openid.net
Sent: Mon, 23 Apr 2007 10:14 am
Subject: [OpenID] OpenID + Certs
We are starting to see more sites that serve OpenIDS and use certificates
for client-side SSL.
This is good news. What would even be better would be to make the user cert
available in the sreg optional attributes for more stringent consumers.
This would allow me to validate a user's belonging to a specific
organization for instance if he agrees of course. This would allow certain
sites to release more sensitive information for Humanitarian Assistance
and/or Disaster Relief in my case.
Could this be added easily?
Does this make sense?
Wdyt?
Pat.
eo1.geobliki.com
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
AOL now offers free email to everyone. Find out more about what's free from
AOL at AOL.com <http://www.aol.com?ncid=AOLAOF00020000000437> .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070423/366efbe8/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3277 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070423/366efbe8/attachment-0002.bin>
More information about the general
mailing list