[OpenID] OpenID + Certs

Jim Spring jmspring at gmail.com
Wed Apr 25 01:36:59 UTC 2007 

Pat -

Depends on the mode of SSL.  If one is only using the more widespread  
Server Authentication,
then you are presenting nothing about yourself to the server until  
you provide other credentials
such as username/password.  If SSL is using Client Authentication,  
then it is true that if you
validate yourself with a user certificate, you are in possession of  
the private key.  However, this
authentication is happening (in the case of the browser) using a  
certificate/key pair known to the
browser.  Where the disconnect is, how does this tie in with the  
presentation of the OpenID
credential?

-jim


On Apr 24, 2007, at 6:22 PM, Pat Cappelaere wrote:

> Jim,
>
> Isn't it a true statement that for me to be capable of connecting  
> to an SSL
> enabled OpenID provider means that I own the private key?
>
> So as a consumer, I can assume that the user was the valid user of  
> that
> certificate at the upload time and I only need to check if the cert  
> has not
> been revoked (if stolen), right?
>
> Pat.
>
>
>> From: Jim Spring <jmspring at gmail.com>
>> Date: Tue, 24 Apr 2007 17:47:42 -0700
>> To: Pat Cappelaere <pat at cappelaere.com>
>> Cc: Dick Hardt <dick at sxip.com>, <general at openid.net>
>> Subject: Re: [OpenID] OpenID + Certs
>>
>> Pat -
>>
>> I think the idea of including the certificate in with the profile has
>> some merits, but
>> how do you propose verifying the certificate -- meaning presenting a
>> certificate is
>> one thing, but it is not useful without the private key -- to verify
>> that the user
>> presenting the certificate actually is the one it belongs to.
>>
>> I can see a role in the presence of the certificate as an attribute
>> could be an enabler
>> for backend/legacy functionality that is PKI enabled (SSL, etc), but
>> I haven't seen
>> anything that directly allows for a path doing the full X509
>> validation along with
>> some private key operation.
>>
>> -jim spring
>>
>> On Apr 24, 2007, at 5:36 PM, Pat Cappelaere wrote:
>>
>>> Dick,
>>>
>>> I am using the term cert as in X.509 certificates being used by  
>>> major
>>> corporations and DoD to identify their users.
>>> These certs contain validated user profile information that ought
>>> to be
>>> available in an OpeniD user profile as an optional attribute at a
>>> minimum.
>>> How many of them are already out there? Many millions.
>>> This ought to be leveraged somehow.
>>>
>>> Pat.
>>>
>>>
>>>
>>>> From: Dick Hardt <dick at sxip.com>
>>>> Date: Wed, 25 Apr 2007 00:36:52 +0200
>>>> To: Pat Cappelaere <pat at cappelaere.com>
>>>> Cc: Hans Granqvist <hgranqvist at verisign.com>, <general at openid.net>
>>>> Subject: Re: [OpenID] OpenID + Certs
>>>>
>>>> Pat
>>>>
>>>> I think you are confusing people using the term Certificate here.
>>>> While a certificate can contain any data, I think of the certs
>>>> primarily as being a statement binding an entity to a public key.
>>>>
>>>> I think you are talking about verified claims, and this is  
>>>> definitely
>>>> something that Attribute Exchange is all about.
>>>>
>>>> We have some demo code where you can get a claim binding your  
>>>> OpenID
>>>> to an email address at:
>>>>
>>>> https://verify.sxip.com/email/.
>>>>
>>>> The only OP I know of that talks AX at this point is Sxipper.
>>>>
>>>> -- Dick
>>>>
>>>> On 24-Apr-07, at 10:14 PM, Pat Cappelaere wrote:
>>>>
>>>>> Hans,
>>>>>
>>>>> Not as a distribution mechanism per say, but as a way to get
>>>>> access to
>>>>> validated information about a user.  Corporate personna would be
>>>>> encapsulated in the PKI that would not be tampered with by the  
>>>>> user
>>>>> (like
>>>>> any of the other profile attributes which can be altered at will).
>>>>> That cert would only be one extra attribute in the profile.
>>>>> The user could upload new ones if necessary.  I will keep on
>>>>> checking at
>>>>> every login.
>>>>> Otherwise, I can't really tell for sure what the user organization
>>>>> is and
>>>>> what email is valid.
>>>>>
>>>>> Does this make more sense?
>>>>> Thanks,
>>>>> Pat.
>>>>>
>>>>>
>>>>>
>>>>>> From: Hans Granqvist <hgranqvist at verisign.com>
>>>>>> Date: Tue, 24 Apr 2007 09:07:06 -0700
>>>>>> To: Pat Cappelaere <pat at cappelaere.com>
>>>>>> Cc: "Recordon, David" <drecordon at verisign.com>,
>>>>>> <general at openid.net>
>>>>>> Subject: Re: [OpenID] OpenID + Certs
>>>>>>
>>>>>> Pat Cappelaere wrote:
>>>>>>> David,
>>>>>>>
>>>>>>> This is pretty much what I need today.  Could you implement that
>>>>>>> on your
>>>>>>> OpenID server at Verisign, please? :)
>>>>>>> Since it is optional, it would not break anything.
>>>>>>> Since Verisign is pretty big in Certificate Management, it might
>>>>>>> even make
>>>>>>> sense.
>>>>>>> Thanks,
>>>>>>> Pat.
>>>>>>
>>>>>> Pat, I'm confused: Do you want to use OpenID attribute  
>>>>>> exchange as
>>>>>> a PKI
>>>>>> distribution mechanism?
>>>>>>
>>>>>> -Hans
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> general mailing list
>>>>> general at openid.net
>>>>> http://openid.net/mailman/listinfo/general
>>>>>
>>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>
>
>

More information about the general mailing list