[OpenID] XRD signing and a new kind of Claimed Identifier
Peter Williams
pwilliams at rapattoni.com
Fri Jun 5 16:39:08 UTC 2009
Nat:
Is there any consensus on the key management required to authenticate the keys that verify the digital signature?
Is there an assurance or management model that is inclusive of self-signed xrd for example (much like https security concept calls for self signed certs alongside ttp/issued certs)? Can the verifier leverage the certs and roots from the https context, if any, for example?
Are we sure that the signature must successfully verify even when thee are "unregistered" xrd extensions that users may have added to the standard stream (e.g. their own claims, such as their root cert)?
The analogous oasis world of (dynamically) signed saml metadata with its endpoints is very split, between those who deny any and all value of digital certificates (UK/US academic websso communities inclusive) and those who see an opportunity (again) to realize a full policy-enabled, govt.-endorsed pki model. Here, we have to be careful of taking oasis advice, without review. Id venture that 80 percent of the contributors to the oasis are still in denial that openid has anything to contribute or has any need to exist. 20 percent of folks in contrast have reacted to market realities (half billion gmail users can now send websso assertions and provision unique keying between op and RP, etc. ). Given that (conjecture) and Given xri resolution already tried to apply signed saml tokens to authenticated authoritative metadata, we should be sure that we are not endorsing management models that are incompatible with uci.
________________________________
From: Nat Sakimura <sakimura at gmail.com>
Sent: Friday, June 05, 2009 12:39 AM
To: Johannes Ernst <jernst+openid.net at netmesh.us>
Cc: general <general at openid.net>
Subject: Re: [OpenID] XRD signing and a new kind of Claimed Identifier
Secure XRD 1.0 will have public key and signature in it.
It is currently vigorously drafted.
TC's been evaluating two types of signature: constrained XML Dsig which is essentially simplified c14n and no q-names (similar to SAML signature), and new type of very simplistic signature, which Base64 the XRD and take RSA-SHA over it (see: http://wiki.oasis-open.org/xri/XrdOne/SimpleSign) . Majority of the TC is tending towards the former, but some members still feel that the community would feel too complicated and implementation compatibility will be an issue.
The XRI TC/XRD specs team would welcome your input in this regards, although, as usual, technical suggestion made here does not get into the spec because of the IPR contamination issues.
Regards,
=nat
On Fri, Jun 5, 2009 at 1:40 PM, Johannes Ernst <jernst+openid.net<http://openid.net>@netmesh.us<http://netmesh.us>> wrote:
If I understand you correctly, you are essentially describing LID.
http://lid.netmesh.org/wiki/LID_By_Example
On Jun 4, 2009, at 20:36, Andrew Arnott wrote:
I haven't read the XRD spec draft, so I don't know how well this would fit in, but I wonder...
Could we put a public key in an XRD file, and have the authentication process be that the OP proves it has the private key, and then the public key is the claimed identifier? If we could pull this off we'd totally solve the problem of being able to change the URI or XRI identifier while still maintaining the user account at each RP; and similarly we could abandon a URL without fear of someone else picking it up and stealing the old user's identity.
Basically, have many of the same benefits of XRIs today, except without the annual fee of owning a top-level i-name, and without being locked down to one XRI service. For example I have a few i-names, each with their own i-number, but these numbers aren't really portable. AFAIK I can't abandon all my i-names, then acquire all new i-names with different services and different numbers of * characters in them, and then hook up my old i-numbers and expect it all to work.
Is this way off base, or a possibility?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general
Johannes Ernst
NetMesh Inc.
http://netmesh.info/jernst
_______________________________________________
general mailing list
general at openid.net<mailto:general at openid.net>
http://openid.net/mailman/listinfo/general
--
Nat Sakimura (=nat)
http://www.sakimura.org/en/
More information about the general
mailing list