[OpenID] JISC Access and Identity Management Call 08/09

[Peter Williams]

Study the domain architecture of RFC 1422, and enjoy. Its represents the DARPA-angle on asymmetric key management (go change that paradigm! said DARPA, as always). Of course, it all got dropped in favor of hierarchical NSA-style key management. But, perhaps it's time to bring it back. Everything has its time and place.

Anyways, go see how cert chains can have and exploit multiple issuers. Go see in the (write-ups of the) research prototypes of that era how (SRI-style) weighting-based path discovery for certs paths (as used later in Cisco's EIGRP routing algorithms) can scale - without imposing a centralized discovery-provider model.

Flexible, resilient, local, self-contained. Works beautifully in the edge/core virtual routing world, allowing *anyone* to run a trust network.


-----Original Message-----
From: Nate Klingenstein [mailto:ndk at internet2.edu]
Sent: Thursday, September 03, 2009 11:37 AM
To: Peter Williams
Cc: Santosh Rajan; general at openid.net
Subject: Re: [OpenID] JISC Access and Identity Management Call 08/09

Peter,

I happen to disagree for numerous reasons, not least of which is that
the certificate can only have one issuer, while an XRD can point to a
handful of authority/reputation/federation services that can vouch for
the entity.  I'm actually somewhat less interested in the distributed
signatures than I am in a pollable vetting authority.

But that gut feeling is precisely why you should go find a UK academic
and offer to help them hammer out a proposal for the solicitation. ;D

Take care,
Nate.

On Sep 3, 2009, at 6:23 PM, Peter Williams wrote:

> My gut feeling is that even if a revised mission is commended, a
> minor tweak of the existing SSL world can do 99% of what's being
> claimed for signed XRD and cross-domain delegations.