[OpenID] XRD signing and a new kind of Claimed Identifier

Nat Sakimura sakimura at gmail.com
Fri Jun 5 07:39:29 UTC 2009 

Secure XRD 1.0 will have public key and signature in it.
It is currently vigorously drafted.

TC's been evaluating two types of signature: constrained XML Dsig which is
essentially simplified c14n and no q-names (similar to SAML signature), and
new type of very simplistic signature, which Base64 the XRD and take RSA-SHA
over it (see: http://wiki.oasis-open.org/xri/XrdOne/SimpleSign) . Majority
of the TC is tending towards the former, but some members still feel that
the community would feel too complicated and implementation compatibility
will be an issue.

The XRI TC/XRD specs team would welcome your input in this regards,
although, as usual, technical suggestion made here does not get into the
spec because of the IPR contamination issues.

Regards,

=nat


On Fri, Jun 5, 2009 at 1:40 PM, Johannes Ernst <jernst+openid.net at netmesh.us
> wrote:

> If I understand you correctly, you are essentially describing LID.
>
> http://lid.netmesh.org/wiki/LID_By_Example
>
>
>
>
> On Jun 4, 2009, at 20:36, Andrew Arnott wrote:
>
>  I haven't read the XRD spec draft, so I don't know how well this would fit
>> in, but I wonder...
>>
>> Could we put a public key in an XRD file, and have the authentication
>> process be that the OP proves it has the private key, and then the public
>> key is the claimed identifier?  If we could pull this off we'd totally solve
>> the problem of being able to change the URI or XRI identifier while still
>> maintaining the user account at each RP; and similarly we could abandon a
>> URL without fear of someone else picking it up and stealing the old user's
>> identity.
>>
>> Basically, have many of the same benefits of XRIs today, except without
>> the annual fee of owning a top-level i-name, and without being locked down
>> to one XRI service.  For example I have a few i-names, each with their own
>> i-number, but these numbers aren't really portable.  AFAIK I can't abandon
>> all my i-names, then acquire all new i-names with different services and
>> different numbers of * characters in them, and then hook up my old i-numbers
>> and expect it all to work.
>>
>> Is this way off base, or a possibility?
>>
>> --
>> Andrew Arnott
>> "I [may] not agree with what you have to say, but I'll defend to the death
>> your right to say it." - S. G. Tallentyre
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>
>
>
> Johannes Ernst
> NetMesh Inc.
>
>
>
>  http://netmesh.info/jernst
>
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>


-- 
Nat Sakimura (=nat)
http://www.sakimura.org/en/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090605/ac8590a5/attachment.htm>

More information about the general mailing list