[OpenID] ICANN - dotOpenID Has Found Its First Sponsor

Peter Williams pwilliams at rapattoni.com
Sun Sep 28 03:34:18 UTC 2008 

One interesting control/trust notion could be lifted from a parallel effort on federated identity (SAML2). There, a domain name in an SSL server cert already introduces a URL, making assertions about the resource at the URL where one can expect to download (signed) metadata, as a relying party. The certified domain/URL name in the cert (a) has URI form, with pattern matching syntax like https server certs, and (b) is a naming context assertion, from its issuer, binding the domain-name authorized/admitted to distribute resource records (meta-metadata) about the entityname asserted in the metadata.

As with all certs, you are intended to distribute them inband (e.g. SSL handshake, ephemeral cert minting by DH ciphersuites), via URL-located files (windows .p7c files), via email (PKCS7/MIME/822 over https), or via (these days) as OSPF ipv6 LSAs in WAN-scale virtual routing domains. In the case of OpenID, they would obviously mostly come from the communication bearer (https) of the HTTP redirects, assuming https is applying cert-based ciphersuites.

Obviously, DNSSEC could be playing exactly the same role of distributing signed naming contexts, under the usual DNS hierarchical naming world. As always, the issue is control and dependency. What? distinguishes DNS from XRI (the OASIS response to DNS) is a good question. XRI already has signed naming contexts, and is already a part of OpenID2 (as is DNS, and DNSSEC, to be fair).

I see XRI as more flexible than DNS, as its query language is simply more flexible and allows for the expression of a relying-party centric validity models. These do not  interfere with the issuer's certification-centric model (that provides for scaling, and interworking by default). RP-centric models simply allows relying parties to overlay their own  trust model, consistent with the trust metamodel in OpenID. By analogy, the RP packet switch chooses its own reverse path for an ICMP resp to the ICMP req sender, based on routing tables whose contents it uniquely controls (with its own locally-defined supernets, own route redistributions, and its own metrics on the trustworthiness of global routes)



-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Dave CROCKER
Sent: Saturday, September 27, 2008 5:49 PM
To: Snorri
Cc: board at openid.net; general at openid.net
Subject: Re: [OpenID] ICANN - dotOpenID Has Found Its First Sponsor
?


Snorri wrote:
> Please understand, this goes way beyond OpenID. It is the introduction
> of a new gTLD dedicated to identity, a concept which has everyone
> concerned.


Enhancements to the DNS namespace are always interesting.

Since the entire DNS is, by definition, dedicated to identity, can you clarify
what would be different about .openid?  What would be special about registration
under it that would not also apply to registration under any other TLD?

Thanks.

d/

--

   Dave Crocker
   Brandenburg InternetWorking
   bbiw.net
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list