<br><br><div class="gmail_quote">On Sun, Nov 30, 2008 at 5:56 PM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Time to take the extension power of XRDS, and apply xmldsig "detached signature(s)"</blockquote><div><br></div><div>Signing XRD is pretty much what we're proposing for the next generation...</div><div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><br>
<br>
This would be using similar mechanism as used in Authenticode, where designers applied 3rd-party countersigning and 4th-party timestamping to solve validity problems - at internet scale. Different parties (OP, discovery agents, validation) can then cooperate, in the inherently suspicious world of open systems.<br>
<br>
The Shib/Apache-xmltooling toolset has all the mechanisms required to make power-use of the flexibility of the xmldsig standard (as do many other tools). Being very, very flexible in its references, it's easy to screw up application of xmldsig, producing unwanted sideeffects tho.<br>
<div class="Ih2E3d"><br>
-----Original Message-----<br>
From: <a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a> [mailto:<a href="mailto:general-bounces@openid.net">general-bounces@openid.net</a>] On Behalf Of Eric Norman<br>
Sent: Sunday, November 30, 2008 9:50 AM<br>
To: OpenID List<br>
</div><div><div></div><div class="Wj3C7c">Subject: Re: [OpenID] 2-Headed OpenID Auth for Increased Security?<br>
<br>
<br>
On Nov 30, 2008, at 9:35 AM, Andrew Arnott wrote:<br>
<br>
> I like the idea.... but the XRDS would have to mandatorily not be<br>
> hosted by either OP (which right now is commonly done), since that OP<br>
> would still ultimately have total assertion power by temporarily<br>
> manipulating the XRDS file to point to two OP endpoints that were both<br>
> controlled by the evil party.<br>
<br>
Be careful. "Hosted by" does not necessarily imply "content<br>
controlled by".<br>
<br>
Eric Norman<br>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br>