OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xri] trust profiles for XRD

Indeed, and one of the most obvious way to mitigate the problem is to rely on a trusted registry that makes sure that it does not get reassigned to another party. Then the problem is reduced to whether you believe the operation and longevity of that registry.

For example, Alice may at one time claim that alice.name belongs to her and she intents to use it as an abstract identifier for her.
Then, she could obtain a cert from, say, a reputed CA called Verising. However, she cannot get it for http://alice.name/. Instead, she has to create a fragment portion as well, so that the abstract identifier would look like http://alice.name/#20081216 .
Verising issues a certificate for this abstract identifer.

At a later date, Alice looses alice.name. Bob gets it.
To impersonate her accounts, he tries to get a cert from Verising for http://alice.name/#20081216.
Verisign then checks if Bob is the same person as Alice, and finds out he is not.
Then, Verising would not issue the cert. It would for something like http://alice.name/#20110303 but not http://alice.name/#20081216 .

Bob may get a cert for http://alice.name/#20081216 from somebody else, though.
So, the CanonicalID cannot be http://alice.name/#20081216.
Instead, it would be more like http://verising.com/absids/alice.name/#20081216.
Essentially, it would have to be a concatination of issuer id and the subject id.

In fact, XRI registry by XDI.ORG is just a variation of it.

=nat

________________________________________
差出人: Peter Davis [peter.davis@neustar.biz]
送信日時: 2008年12月18日 22:10
宛先: Sakimura Nat
CC: Ben Laurie; George Fletcher; Brian Eaton; XRI TC
件名: Re: [xri] trust profiles for XRD

On Dec 18, 2008, at 2:11 AM, Nat Sakimura wrote:

> In a long run, a signing authority of the XRD and the owner of the
> domain does not have to match.
> Sining authority for my XRD that has my CanonicalID is me even if I
> lose the authority over the domain.

however, if your CanonicalID is anchored in a DNS namespace you no
longer control, there are no assurances that the identifier will not
get repurposed.  This gets to subject identifier collisions, something
the SSTC is revisiting now with some new profiles.

=peterd

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]