[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] trust profiles for XRD
On Thu, Dec 18, 2008 at 4:44 PM, Sakimura Nat <n-sakimura@nri.co.jp> wrote: > Indeed, and one of the most obvious way to mitigate the problem is to rely on a trusted registry that makes sure that it does not get reassigned to another party. Then the problem is reduced to whether you believe the operation and longevity of that registry. > > For example, Alice may at one time claim that alice.name belongs to her and she intents to use it as an abstract identifier for her. > Then, she could obtain a cert from, say, a reputed CA called Verising. However, she cannot get it for http://alice.name/. Instead, she has to create a fragment portion as well, so that the abstract identifier would look like http://alice.name/#20081216 . > Verising issues a certificate for this abstract identifer. > > At a later date, Alice looses alice.name. Bob gets it. > To impersonate her accounts, he tries to get a cert from Verising for http://alice.name/#20081216. > Verisign then checks if Bob is the same person as Alice, and finds out he is not. > Then, Verising would not issue the cert. It would for something like http://alice.name/#20110303 but not http://alice.name/#20081216 . So, in other words, we solve the identity problem by getting somebody else to solve the identity problem. I don't find this idea very attractive. If users really want identifiers that last forever, then they can buy them from a domain that promises to stay around forever (for example, for £500 I could get a domain in .uk for the next 100 years). I don't see why we'd want to construct the spec so that the _only_ way to get an identifier is through a similarly expensive process. By all means, though, point out that if you lose your domain, then you lose your identifier. > > Bob may get a cert for http://alice.name/#20081216 from somebody else, though. > So, the CanonicalID cannot be http://alice.name/#20081216. > Instead, it would be more like http://verising.com/absids/alice.name/#20081216. > Essentially, it would have to be a concatination of issuer id and the subject id. > > In fact, XRI registry by XDI.ORG is just a variation of it. > > =nat > > ________________________________________ > 差出人: Peter Davis [peter.davis@neustar.biz] > 送信日時: 2008年12月18日 22:10 > 宛先: Sakimura Nat > CC: Ben Laurie; George Fletcher; Brian Eaton; XRI TC > 件名: Re: [xri] trust profiles for XRD > > On Dec 18, 2008, at 2:11 AM, Nat Sakimura wrote: > >> In a long run, a signing authority of the XRD and the owner of the >> domain does not have to match. >> Sining authority for my XRD that has my CanonicalID is me even if I >> lose the authority over the domain. > > however, if your CanonicalID is anchored in a DNS namespace you no > longer control, there are no assurances that the identifier will not > get repurposed. This gets to subject identifier collisions, something > the SSTC is revisiting now with some new profiles. > > =peterd >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]