<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<TITLE>Re: [OpenID] OpenID as a PKI facilitator</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=2>Ah, now I see our disconnect. I thought "dick" and "david" had different keys as per the DTP discussion.<BR>
<BR>
--David<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Dick Hardt [<A HREF="mailto:dick@sxip.com">mailto:dick@sxip.com</A>]<BR>
Sent: Saturday, April 07, 2007 07:30 AM Pacific Standard Time<BR>
To: Ben Laurie<BR>
Cc: OpenID General<BR>
Subject: Re: [OpenID] OpenID as a PKI facilitator<BR>
<BR>
<BR>
On 7-Apr-07, at 3:53 AM, Ben Laurie wrote:<BR>
<BR>
> On 4/7/07, Dick Hardt <dick@sxip.com> wrote:<BR>
>> Hmmm ... that is not how I understood it worked from talking to <BR>
>> Ben Laurie.<BR>
>><BR>
>> Ben: would seem pretty heavy if zone file was needed to store a <BR>
>> key in a<BR>
>> record. Is this true?<BR>
><BR>
> No. But nor is that what David said: he said a separate zone was<BR>
> needed for each signing key. Which is true.<BR>
><BR>
> What I can't figure out from what has been written in this thread what<BR>
> exactly you are trying to do, or why it would involve multiple signing<BR>
> keys - from what I'm reading, you want to publish a key per user,<BR>
> signed by some authority, which you can do in a single zone. But I'm<BR>
> guessing wildly.<BR>
<BR>
Your guess is what we were talking about. How do you publish a key <BR>
for the user, where each user is represented by a different DNS record.<BR>
<BR>
dick.pip.verisignlabs.com and david.pip.verisignlabs.com would be <BR>
able to be in the zone and hence use the signing key for <BR>
pip.verisignlabs.com.<BR>
<BR>
-- Dick<BR>
<BR>
_______________________________________________<BR>
general mailing list<BR>
general@openid.net<BR>
<A HREF="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</A><BR>
</FONT>
</P>
</BODY>
</HTML>