<div> In order to get the result that you want, the OpenID of the user will have to be included in the certificate. Is this typical among the OPs that are using certificates?<br>
<br>
The RP would have to check that the OpenID asserted by the OP is also bound by the certificate to the organization. Note that the OpenID referred to here is the one claimed by the user, not the delegated id that the OpenID provider actually deals with.<br>
<br>
Use of the certificate in this way is more like attribute certificates than it is a regular public-key binding.<br>
<br>
Terry<br>
</div>
<div> <br>
</div>
<div> <br>
</div>
-----Original Message-----<br>
From: Pat Cappelaere <pat@cappelaere.com><br>
To: general@openid.net<br>
Sent: Mon, 23 Apr 2007 10:14 am<br>
Subject: [OpenID] OpenID + Certs<br>
<br>
<div id="AOLMsgPart_2_f64047aa-771a-465d-a2a0-d6b856d5c241" style="margin: 0px; font-family: Tahoma,Verdana,Arial,Sans-Serif; font-size: 12px; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<pre style="font-size: 9pt;"><tt>We are starting to see more sites that serve OpenIDS and use certificates<br>
for client-side SSL.<br>
This is good news. What would even be better would be to make the user cert<br>
available in the sreg optional attributes for more stringent consumers.<br>
This would allow me to validate a user's belonging to a specific<br>
organization for instance if he agrees of course. This would allow certain<br>
sites to release more sensitive information for Humanitarian Assistance<br>
and/or Disaster Relief in my case.<br>
Could this be added easily?<br>
Does this make sense?<br>
Wdyt?<br>
<br>
Pat.<br>
eo1.geobliki.com<br>
</tt></pre>
</div>
<!-- end of AOLMsgPart_2_f64047aa-771a-465d-a2a0-d6b856d5c241 -->
<div id="AOLMsgPart_4_f64047aa-771a-465d-a2a0-d6b856d5c241" style="margin: 0px; font-family: Tahoma,Verdana,Arial,Sans-Serif; font-size: 12px; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<pre style="font-size: 9pt;"><tt>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a>
</tt></pre>
</div>
<!-- end of AOLMsgPart_4_f64047aa-771a-465d-a2a0-d6b856d5c241 -->
<div class="AOLPromoFooter">
<hr style="margin-top:10px;" />
AOL now offers free email to everyone. Find out more about what's free from AOL at <a href="http://www.aol.com?ncid=AOLAOF00020000000437" target="_blank"><b>AOL.com</b></a>.<br />
</div>