We can sign the existing XRDS with XML DSig as well. <div>XRD is not yet in use so just in case. </div><div><br></div><div>As to the trust framework, we can just state that the trust circle should </div><div>decide the specifics, but one should check the claimed_id against </div>
<div>Subject or Subject AltName etc., AND cert usage AND crl, etc. </div><div><br></div><div>=nat</div><div><br><br><div class="gmail_quote">On Thu, Apr 22, 2010 at 2:15 PM, nara hideki <span dir="ltr"><<a href="mailto:hdknr@ic-tact.co.jp">hdknr@ic-tact.co.jp</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">Thank you again David.<br>
I should look at the XRD signature.<br>
<br>
Thanks!<br>
---<br>
hdknr<br>
<br>
2010/4/20 David García <<a href="mailto:david.garcia@tractis.com">david.garcia@tractis.com</a>>:<br>
<div><div></div><div class="h5">> Hi Nara,<br>
><br>
> in my opinion maybe the best option is signing XRD.<br>
><br>
> This way you will have a proof of possession of the certificate by the party<br>
> offering XRD prior of starting contract exchange.<br>
><br>
> I've been cheking XRD signature and they're quite aligned with some<br>
> questions we discussed before, like restrictions over signing certificate's<br>
> key usage. Furthermore they define with some detail signature validation<br>
> process.<br>
><br>
> Best regards!<br>
><br>
> Dave<br>
><br>
> 2010/4/20 nara hideki <<a href="mailto:hdknr@ic-tact.co.jp">hdknr@ic-tact.co.jp</a>><br>
>><br>
>> Hi, experts.<br>
>><br>
>> I think that there should be rules for binding X.509 subject used to<br>
>> sign a contract to /Contract/Party/@id.<br>
>><br>
>> Two ways came to my mind :<br>
>><br>
>> 1. XRD/XRDS discovered for /Contract/Party/@id MUST be signed with<br>
>> same certificate used to sign contracts.<br>
>> 2. X.509 should be has a property for the Party/@id.<br>
>><br>
>> There could be more or better ones.<br>
>><br>
>> Any idea welcome.<br>
>><br>
>> Thanks.<br>
>> ---<br>
>> hdknr<br>
>> _______________________________________________<br>
>> Specs-cx mailing list<br>
>> <a href="mailto:Specs-cx@lists.openid.net">Specs-cx@lists.openid.net</a><br>
>> <a href="http://lists.openid.net/mailman/listinfo/openid-specs-cx" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-cx</a><br>
><br>
><br>
><br>
> --<br>
> David Garcia<br>
> CTO<br>
> Tractis - Online contracts you can enforce<br>
> <a href="http://www.tractis.com" target="_blank">http://www.tractis.com</a><br>
> --<br>
> Email: <a href="mailto:david.garcia@tractis.com">david.garcia@tractis.com</a><br>
> Skype: deiffbcn<br>
> Blog: <a href="http://blog.negonation.com" target="_blank">http://blog.negonation.com</a><br>
> Linkedin: <a href="http://www.linkedin.com/in/davebcn" target="_blank">http://www.linkedin.com/in/davebcn</a><br>
><br>
><br>
><br>
_______________________________________________<br>
Specs-cx mailing list<br>
<a href="mailto:Specs-cx@lists.openid.net">Specs-cx@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-cx" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-cx</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Nat Sakimura (=nat)<br><a href="http://www.sakimura.org/en/">http://www.sakimura.org/en/</a><br><a href="http://twitter.com/_nat_en">http://twitter.com/_nat_en</a><br>
</div>