[OpenID] OpenID + Certs

Pat Cappelaere pat at cappelaere.com
Wed Apr 25 15:14:59 UTC 2007


Dick,

I am not quite a PKI technologist but let's look at https://certifi.ca.
They allowed me to create an openid account.
They use client-side SSL and I have my cert in the browser so I am always
logged in (as it appears anyway).
They certainly have access to my certificate on their side and could have
stored it and placed it as an optional attribute of my profile.
I can write a small consumer and use my openid url and get to my profile
attributes via exchange. But as a consumer, I cannot really trust those
attributes as being official since they are all editable by the user.  If I
only had access to that cert...

Wdyt?

Pat.





> From: Dick Hardt <dick at sxip.com>
> Date: Wed, 25 Apr 2007 16:55:58 +0200
> To: Pat Cappelaere <pat at cappelaere.com>
> Cc: openid-general General <general at openid.net>
> Subject: Re: [OpenID] OpenID + Certs
> 
> Hi Pat
> 
> I appreciate the kind words.
> 
> To validate the user is the owner of the cert, the RP would need to
> get the cert, but more importantly, the user needs to sign something
> with the private key to know the attributes belong to the user. It is
> not clear to me how to make that happen, but I'd be interested in any
> proposals you have for the integration.
> 
> -- Dick
> 
> On 25-Apr-07, at 1:36 PM, Pat Cappelaere wrote:
> 
>> Dick,
>> 
>> I understand where you are coming from.  I have the utmost respect
>> for the
>> work you are doing in that area.  I would urge you to not discount
>> the DOD
>> effort with PKI.  I believe that it is mandatory for all DOD
>> personal +
>> contractors to have one in order to access a DOD machine in the
>> open (and
>> sometimes higher).
>> 
>> DOD is extremely interested in data sharing with other civilian
>> organizations (especially for emergency response).  The best thing
>> you could
>> do would be to accept DOD PKI's as optional user attributes (using
>> SSL) and
>> let the consumers decide to request that cert or not (and to
>> validate it or
>> not) via the openid attribute exchange.
>> 
>> This could be the tipping point for OpenID.
>> Thank you for taking the time to respond to the emails and your
>> cooperation
>> with this Community.
>> V/R,
>> Pat.
>> 
>> 
>>> From: Dick Hardt <dick at sxip.com>
>>> Date: Wed, 25 Apr 2007 06:31:42 +0200
>>> To: Pat Cappelaere <pat at cappelaere.com>
>>> Cc: Hans Granqvist <hgranqvist at verisign.com>, <general at openid.net>
>>> Subject: Re: [OpenID] OpenID + Certs
>>> 
>>> Hi Pat
>>> 
>>> Thanks for clarifying.
>>> 
>>> Personally, I think this overloading of the X.509 cert to be used for
>>> proving both that I am a particular entity as well as asserting facts
>>> about me is why PKI is not more widely deployed. From what I have
>>> learned talking to the DoD, the utilization and "trust" of this other
>>> data is nominal.
>>> 
>>> -- Dick
>>> 
>>> On 25-Apr-07, at 2:36 AM, Pat Cappelaere wrote:
>>> 
>>>> Dick,
>>>> 
>>>> I am using the term cert as in X.509 certificates being used by
>>>> major
>>>> corporations and DoD to identify their users.
>>>> These certs contain validated user profile information that ought
>>>> to be
>>>> available in an OpeniD user profile as an optional attribute at a
>>>> minimum.
>>>> How many of them are already out there? Many millions.
>>>> This ought to be leveraged somehow.
>>>> 
>>>> Pat.
>>>> 
>>>> 
>>>> 
>>>>> From: Dick Hardt <dick at sxip.com>
>>>>> Date: Wed, 25 Apr 2007 00:36:52 +0200
>>>>> To: Pat Cappelaere <pat at cappelaere.com>
>>>>> Cc: Hans Granqvist <hgranqvist at verisign.com>, <general at openid.net>
>>>>> Subject: Re: [OpenID] OpenID + Certs
>>>>> 
>>>>> Pat
>>>>> 
>>>>> I think you are confusing people using the term Certificate here.
>>>>> While a certificate can contain any data, I think of the certs
>>>>> primarily as being a statement binding an entity to a public key.
>>>>> 
>>>>> I think you are talking about verified claims, and this is
>>>>> definitely
>>>>> something that Attribute Exchange is all about.
>>>>> 
>>>>> We have some demo code where you can get a claim binding your
>>>>> OpenID
>>>>> to an email address at:
>>>>> 
>>>>> https://verify.sxip.com/email/.
>>>>> 
>>>>> The only OP I know of that talks AX at this point is Sxipper.
>>>>> 
>>>>> -- Dick
>>>>> 
>>>>> On 24-Apr-07, at 10:14 PM, Pat Cappelaere wrote:
>>>>> 
>>>>>> Hans,
>>>>>> 
>>>>>> Not as a distribution mechanism per say, but as a way to get
>>>>>> access to
>>>>>> validated information about a user.  Corporate personna would be
>>>>>> encapsulated in the PKI that would not be tampered with by the
>>>>>> user
>>>>>> (like
>>>>>> any of the other profile attributes which can be altered at will).
>>>>>> That cert would only be one extra attribute in the profile.
>>>>>> The user could upload new ones if necessary.  I will keep on
>>>>>> checking at
>>>>>> every login.
>>>>>> Otherwise, I can't really tell for sure what the user organization
>>>>>> is and
>>>>>> what email is valid.
>>>>>> 
>>>>>> Does this make more sense?
>>>>>> Thanks,
>>>>>> Pat.
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>> From: Hans Granqvist <hgranqvist at verisign.com>
>>>>>>> Date: Tue, 24 Apr 2007 09:07:06 -0700
>>>>>>> To: Pat Cappelaere <pat at cappelaere.com>
>>>>>>> Cc: "Recordon, David" <drecordon at verisign.com>,
>>>>>>> <general at openid.net>
>>>>>>> Subject: Re: [OpenID] OpenID + Certs
>>>>>>> 
>>>>>>> Pat Cappelaere wrote:
>>>>>>>> David,
>>>>>>>> 
>>>>>>>> This is pretty much what I need today.  Could you implement that
>>>>>>>> on your
>>>>>>>> OpenID server at Verisign, please? :)
>>>>>>>> Since it is optional, it would not break anything.
>>>>>>>> Since Verisign is pretty big in Certificate Management, it might
>>>>>>>> even make
>>>>>>>> sense.
>>>>>>>> Thanks,
>>>>>>>> Pat.
>>>>>>> 
>>>>>>> Pat, I'm confused: Do you want to use OpenID attribute
>>>>>>> exchange as
>>>>>>> a PKI
>>>>>>> distribution mechanism?
>>>>>>> 
>>>>>>> -Hans
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> general mailing list
>>>>>> general at openid.net
>>>>>> http://openid.net/mailman/listinfo/general
>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> 
>>> 
>> 
>> 
>> 
> 





More information about the general mailing list