OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xri] SimpleSign for estabilishing the authenticity of XRD.

The XRI resolver produces a XRD Sequence as its output that XML document contains the chain of XRD documents resolved.

The client can then verify the signatures of each of the XRDs contained in the XRDS.   

The last XRD in the XRDS is the one with the SEPs that you are interested in.   The other XRDs in the XRDS provide the audit info for the client to verify.

This is particularly important where you are doing XRI resolution through a proxy resolver that you may or may not trust.

The concept of producing a XRD Sequence is not unlike what you are talking about with delegation.  

A XRDS containing all the XRD that the resolver processed could be returned to the requester for it to audit and verify the signatures or at-least the delegation chain.

=jbradley

On 11-Dec-08, at 12:47 PM, Brian Eaton wrote:

On Thu, Dec 11, 2008 at 1:09 AM, Nat Sakimura <n-sakimura@nri.co.jp> wrote:
Unfortunately, as fare as I understand, this is exactly the case for XRI
resolution.
XRI resolution traverses through Authorities, and each authority returns an
XRD, pointing to the next authority.
This means, each XRD will be signed by different authorities. It is the use
case of the XRI SAML Trusted Resolution.
Then -- I have not touched the spec for long time, so I maybe wrong.

Perhaps Peter or John could clarify.

I've read Peter's clarification, but I'm still confused about why this
would be a problem for XRD simple sign.  let's say you've got 3
authorities involved in the XRD resolution.

Authority A returns A.xml, signed with A's key.
Authority B returns B.xml, signed with B's key.
Authority C returns C.xml, signed with C's key.

The client verifies the signatures on each of the documents, and that
the pointers from one document to the next are legitimate.  I'm
clearly missing something about the XRI resolution process.  Where
does this process break down?

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]