RE: [xri] trust profiles for XRD

[Sakimura Nat <n-sakimura@nri.co.jp>]

For b), please refer to the post that I did a couple of minutes ago.
Simply put, it does not... well, it just means that we cannot use the raw DNS based uri as CanonicalID.

Could you kindly elaborate a)?

=nat

________________________________________
差出人: Brian Eaton [beaton@google.com]
送信日時: 2008年12月19日 1:26
宛先: Sakimura Nat
CC: Ben Laurie; George Fletcher; XRI TC
件名: Re: [xri] trust profiles for XRD

Doing this would break

a) key rotation.
b) legitimate reassignment of domains.

On Thu, Dec 18, 2008 at 8:18 AM, Sakimura Nat <n-sakimura@nri.co.jp> wrote:
> One of the easiest way is to rely on a registry that makes sure that the identifier is not going to be recycled.
> Properly run CA's higher assurance cert's Subject is one such example.
> XRI registry's persistent XRI (i-numbers) is another example.
>
> Rest is as described in the previous mail.
>
> =nat
>
> ________________________________________
> 差出人: Ben Laurie [benl@google.com]
> 送信日時: 2008年12月18日 16:53
> 宛先: Sakimura Nat
> CC: George Fletcher; Brian Eaton; XRI TC
> 件名: Re: [xri] trust profiles for XRD
>
> On Thu, Dec 18, 2008 at 7:11 AM, Nat Sakimura <n-sakimura@nri.co.jp> wrote:
>>
>>
>> Ben Laurie wrote:
>>>
>>> On Wed, Dec 17, 2008 at 11:20 AM, Nat Sakimura <n-sakimura@nri.co.jp>
>>> wrote:
>>>
>>>>
>>>> Thanks Brian for the write up.
>>>>
>>>> I have added comments to the wiki.
>>>>
>>>> Basically, it is kind of unfortunate, in addition to what George has
>>>> pointed
>>>> out, if we consider the case of domain owner change into the scope, it
>>>> breaks.
>>>>
>>>
>>> Surely any signing scheme breaks if the owner of the signing authority
>>> can change?
>>>
>>
>> In a long run, a signing authority of the XRD and the owner of the domain
>> does not have to match.
>> Sining authority for my XRD that has my CanonicalID is me even if I lose the
>> authority over the domain.
>
> So how does this work?
>