Hi Nara,<br><br>in my opinion maybe the best option is signing XRD. <br><br>This way you will have a proof of possession of the certificate by the party offering XRD prior of starting contract exchange. <br><br>I've been cheking <a href="http://www.oasis-open.org/committees/download.php/36030/xrd-trust-basic-x509-1.0-wd01.html">XRD signature</a> and they're quite aligned with some questions we discussed before, like restrictions over signing certificate's key usage. Furthermore they define with some detail signature validation process.<br>
<br>Best regards!<br><br>Dave<br><br><div class="gmail_quote">2010/4/20 nara hideki <span dir="ltr"><<a href="mailto:hdknr@ic-tact.co.jp">hdknr@ic-tact.co.jp</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi, experts.<br>
<br>
I think that there should be rules for binding X.509 subject used to<br>
sign a contract to /Contract/Party/@id.<br>
<br>
Two ways came to my mind :<br>
<br>
1. XRD/XRDS discovered for /Contract/Party/@id MUST be signed with<br>
same certificate used to sign contracts.<br>
2. X.509 should be has a property for the Party/@id.<br>
<br>
There could be more or better ones.<br>
<br>
Any idea welcome.<br>
<br>
Thanks.<br>
---<br>
hdknr<br>
_______________________________________________<br>
Specs-cx mailing list<br>
<a href="mailto:Specs-cx@lists.openid.net">Specs-cx@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-cx" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-cx</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>David Garcia<br>CTO<br>Tractis - Online contracts you can enforce<br><a href="http://www.tractis.com">http://www.tractis.com</a><br>--<br>Email: <a href="mailto:david.garcia@tractis.com">david.garcia@tractis.com</a><br>
Skype: deiffbcn<br>Blog: <a href="http://blog.negonation.com">http://blog.negonation.com</a><br>Linkedin: <a href="http://www.linkedin.com/in/davebcn">http://www.linkedin.com/in/davebcn</a><br><br><br>