Server-to-server channel
Chris Drake
christopher at pobox.com
Thu Apr 5 03:59:09 UTC 2007
Thursday, April 5, 2007, 5:43:02 AM, you wrote:
[snip]
DO> How these keys are handled internally could be left to the
DO> consumer or RP.
[snip]
This sounds like another *strong* use-case for updating the OpenID
protocol to allow transactions to take place when the user is not
present.
I am not likely to be present when people relying upon my certificates
choose to verify signatures, check for revocation, or attempt to
encrypt stuff destined for me.
There needs to be a way for the RP to contact my OP and get access to
my information (eg: my current public key and revocation list) - by my
explicit prior consent of course.
I believe it's entirely unreasonable, and privacy-invasive, and
identity-theft-dangering, to expect every RP out there to have to
cache a copy of all my credentials, and for me or my OP to have to
propagate any changes/updates/addition etc out to them all. Keeping
all my info in one place solves this - only if the RPs can get what
they want, *when* they want, which can't be done without
server-to-server means.
Chris.
More information about the specs
mailing list