Server-to-server channel

Vinay Gupta hexayurt at gmail.com
Wed Apr 4 20:02:07 UTC 2007 

On Apr 4, 2007, at 7:43 PM, Douglas Otis wrote:

> Related services that can be enabled by using OpenID as a key  
> distribution scheme.  Keys would need to relate to services handled  
> by the consumer or RP.  A sub-attribute could help facilitate  
> correct placement of the keys and to allow different keys for  
> different purposes.
>
>> Secondly X509 certificates are very, very broken in terms of  
>> delegation semantics and certification semantics (at least in many  
>> people's eyes, mine included.)
>>
>> So.. SPKI?
>>
>> (yes, I've been over this territory.... and that's pretty much  
>> what I'm doing here.)
>
> How these keys are handled internally could be left to the consumer  
> or RP.  Either the OpenID server or the Consumer or RP could  
> fashion their own certs based upon this information where it is  
> administered and integrated with other services.   The individual  
> end-user would only need to submit their set of public keys for  
> this to become possible.

Hm. Well, I don't to suggest that we tear off fixing or expressing  
the whole semantics of PKI, but I do think that some care should be  
taken to make sure that it's clear what the security status of a  
returned key is. Problems like Confused Deputy can easily arise when  
you start dealing with registry systems which aren't under really  
tight control.

I don't have a neatly packaged solution for this, but we're dealing  
with situations which can have very significant legal repercussions:  
digital signatures are legal for some kinds of transactions in some  
jurisdictions, and however this is handled is has to have some  
approach to the questions of "what is they key good for, and who says  
it's OK for this purpose?"

Vinay

--
Vinay Gupta - Designer, Hexayurt Project - an excellent public domain  
refugee shelter system
Gizmo Project VOIP: 775-743-1851 (usually works!)              Cell:  
Iceland (+354) 869-4605
http://howtolivewiki.com/hexayurt - old         http://appropedia.org/ 
Hexayurt_Project - new
Skype/Gizmo/Gtalk: hexayurt   I have a proof which unfortunately this  
signature is too short

More information about the specs mailing list