Server-to-server channel
Dick Hardt
dick at sxip.com
Thu Apr 5 14:26:14 UTC 2007
On 4-Apr-07, at 8:59 PM, Chris Drake wrote:
> Thursday, April 5, 2007, 5:43:02 AM, you wrote:
>
> [snip]
>
> DO> How these keys are handled internally could be left to the
> DO> consumer or RP.
>
> [snip]
>
> This sounds like another *strong* use-case for updating the OpenID
> protocol to allow transactions to take place when the user is not
> present.
>
> I am not likely to be present when people relying upon my certificates
> choose to verify signatures, check for revocation, or attempt to
> encrypt stuff destined for me.
>
> There needs to be a way for the RP to contact my OP and get access to
> my information (eg: my current public key and revocation list) - by my
> explicit prior consent of course.
Having your public key discoverable at your URL makes lots of sense,
it is by its very nature, public.
I would not consider fetching the public key to be a transaction though.
-- Dick
More information about the specs
mailing list