Re: [xri] trust profiles for XRD

[Ben Laurie <benl@google.com>]

On Thu, Dec 18, 2008 at 4:44 PM, Sakimura Nat <n-sakimura@nri.co.jp> wrote:
> Indeed, and one of the most obvious way to mitigate the problem is to rely on a trusted registry that makes sure that it does not get reassigned to another party. Then the problem is reduced to whether you believe the operation and longevity of that registry.
>
> For example, Alice may at one time claim that alice.name belongs to her and she intents to use it as an abstract identifier for her.
> Then, she could obtain a cert from, say, a reputed CA called Verising. However, she cannot get it for http://alice.name/. Instead, she has to create a fragment portion as well, so that the abstract identifier would look like http://alice.name/#20081216 .
> Verising issues a certificate for this abstract identifer.
>
> At a later date, Alice looses alice.name. Bob gets it.
> To impersonate her accounts, he tries to get a cert from Verising for http://alice.name/#20081216.
> Verisign then checks if Bob is the same person as Alice, and finds out he is not.
> Then, Verising would not issue the cert. It would for something like http://alice.name/#20110303 but not http://alice.name/#20081216 .

So, in other words, we solve the identity problem by getting somebody
else to solve the identity problem.

I don't find this idea very attractive.

If users really want identifiers that last forever, then they can buy
them from a domain that promises to stay around forever (for example,
for £500 I could get a domain in .uk for the next 100 years). I don't
see why we'd want to construct the spec so that the _only_ way to get
an identifier is through a similarly expensive process.

By all means, though, point out that if you lose your domain, then you
lose your identifier.

>
> Bob may get a cert for http://alice.name/#20081216 from somebody else, though.
> So, the CanonicalID cannot be http://alice.name/#20081216.
> Instead, it would be more like http://verising.com/absids/alice.name/#20081216.
> Essentially, it would have to be a concatination of issuer id and the subject id.
>
> In fact, XRI registry by XDI.ORG is just a variation of it.
>
> =nat
>
> ________________________________________
> 差出人: Peter Davis [peter.davis@neustar.biz]
> 送信日時: 2008年12月18日 22:10
> 宛先: Sakimura Nat
> CC: Ben Laurie; George Fletcher; Brian Eaton; XRI TC
> 件名: Re: [xri] trust profiles for XRD
>
> On Dec 18, 2008, at 2:11 AM, Nat Sakimura wrote:
>
>> In a long run, a signing authority of the XRD and the owner of the
>> domain does not have to match.
>> Sining authority for my XRD that has my CanonicalID is me even if I
>> lose the authority over the domain.
>
> however, if your CanonicalID is anchored in a DNS namespace you no
> longer control, there are no assurances that the identifier will not
> get repurposed.  This gets to subject identifier collisions, something
> the SSTC is revisiting now with some new profiles.
>
> =peterd
>