<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>Re: [OpenID] OpenID as a PKI facilitator</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Thanks!<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Ben Laurie [<A HREF="mailto:benl@google.com">mailto:benl@google.com</A>]<BR>
Sent: Saturday, April 07, 2007 10:45 AM Pacific Standard Time<BR>
To: Recordon, David<BR>
Cc: Dick Hardt; OpenID General<BR>
Subject: Re: [OpenID] OpenID as a PKI facilitator<BR>
<BR>
On 4/7/07, Recordon, David <drecordon@verisign.com> wrote:<BR>
> So then where are we placing the user's key? I thought what was being<BR>
> proposed was using the signing key as the user's public key. Seems this<BR>
> isn't the case, so then is the user's key going in as a DNS record (and<BR>
> then in what format)?<BR>
<BR>
<A HREF="http://www.ietf.org/rfc/rfc4398.txt">http://www.ietf.org/rfc/rfc4398.txt</A><BR>
<BR>
><BR>
> --David<BR>
><BR>
> -----Original Message-----<BR>
> From: Ben Laurie [<A HREF="mailto:benl@google.com">mailto:benl@google.com</A>]<BR>
> Sent: Saturday, April 07, 2007 10:13 AM<BR>
> To: Recordon, David<BR>
> Cc: Dick Hardt; OpenID General<BR>
> Subject: Re: [OpenID] OpenID as a PKI facilitator<BR>
><BR>
> On 4/7/07, Recordon, David <drecordon@verisign.com> wrote:<BR>
> > Dick said:<BR>
> > > dick.pip.verisignlabs.com and david.pip.verisignlabs.com would be<BR>
> > > able to be in the zone and hence use the signing key for<BR>
> > > pip.verisignlabs.com.<BR>
> ><BR>
> > As I read that, both dick.pip.verisignlabs.com and<BR>
> > david.pip.verisignlabs.com would be in the same zone and thus be using<BR>
><BR>
> > the same key.<BR>
><BR>
> What? There's no need for them to be using the same key if they're in<BR>
> the same zone. The key that is the same is the one that signs their<BR>
> records, i.e. the zone key.<BR>
><BR>
> > That is not what I was envisioning, I was seeing<BR>
> > dick.pip.verisignlabs.com and david.pip.verisignlabs.com having to be<BR>
> > in separate zones in order to have separate keys.<BR>
> ><BR>
> > DTP is a draft back-channel protocol (basically S/MIME over HTTP)<BR>
> > which proposes key discovery via Yadis.<BR>
> > <A HREF="http://openid.net/specs/openid-service-key-discovery-1_0-01.html">http://openid.net/specs/openid-service-key-discovery-1_0-01.html</A><BR>
> ><BR>
> > --David<BR>
> ><BR>
> > -----Original Message-----<BR>
> > From: Ben Laurie [<A HREF="mailto:benl@google.com">mailto:benl@google.com</A>]<BR>
> > Sent: Saturday, April 07, 2007 10:01 AM<BR>
> > To: Recordon, David<BR>
> > Cc: Dick Hardt; OpenID General<BR>
> > Subject: Re: [OpenID] OpenID as a PKI facilitator<BR>
> ><BR>
> > On 4/7/07, Recordon, David <drecordon@verisign.com> wrote:<BR>
> > ><BR>
> > ><BR>
> > ><BR>
> > > Ah, now I see our disconnect. I thought "dick" and "david" had<BR>
> > > different keys as per the DTP discussion.<BR>
> ><BR>
> > Obviously they have different keys. You've lost me. What is DTP?<BR>
> ><BR>
> > ><BR>
> > > --David<BR>
> > ><BR>
> > ><BR>
> > > -----Original Message-----<BR>
> > > From: Dick Hardt [<A HREF="mailto:dick@sxip.com">mailto:dick@sxip.com</A>]<BR>
> > > Sent: Saturday, April 07, 2007 07:30 AM Pacific Standard Time<BR>
> > > To: Ben Laurie<BR>
> > > Cc: OpenID General<BR>
> > > Subject: Re: [OpenID] OpenID as a PKI facilitator<BR>
> > ><BR>
> > ><BR>
> > > On 7-Apr-07, at 3:53 AM, Ben Laurie wrote:<BR>
> > ><BR>
> > > > On 4/7/07, Dick Hardt <dick@sxip.com> wrote:<BR>
> > > >> Hmmm ... that is not how I understood it worked from talking to<BR>
> > > >> Ben Laurie.<BR>
> > > >><BR>
> > > >> Ben: would seem pretty heavy if zone file was needed to store a<BR>
> > > >> key in a >> record. Is this true?<BR>
> > > ><BR>
> > > > No. But nor is that what David said: he said a separate zone was<BR>
><BR>
> > > ><BR>
> ><BR>
> > > needed for each signing key. Which is true.<BR>
> > > ><BR>
> > > > What I can't figure out from what has been written in this thread<BR>
><BR>
> > > what > exactly you are trying to do, or why it would involve<BR>
> > > multiple<BR>
> ><BR>
> > > signing > keys - from what I'm reading, you want to publish a key<BR>
> > > per<BR>
> ><BR>
> > > user, > signed by some authority, which you can do in a single<BR>
> zone.<BR>
> > > But I'm > guessing wildly.<BR>
> > ><BR>
> > > Your guess is what we were talking about. How do you publish a key<BR>
><BR>
> > > for the user, where each user is represented by a different DNS<BR>
> > record.<BR>
> > ><BR>
> > > dick.pip.verisignlabs.com and david.pip.verisignlabs.com would be<BR>
> > > able to be in the zone and hence use the signing key for<BR>
> > > pip.verisignlabs.com.<BR>
> > ><BR>
> > > -- Dick<BR>
> > ><BR>
> > > _______________________________________________<BR>
> > > general mailing list<BR>
> > > general@openid.net<BR>
> > > <A HREF="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</A><BR>
> > ><BR>
> > ><BR>
> > ><BR>
> ><BR>
><BR>
</FONT>
</P>
</BODY>
</HTML>