OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xri] Re: XRD signed with Citizen Card


Thanks Markus for the example.

The idea was to use the user's unique and persistent identifier as the 
Subject (used to be CanonicalID) of the XRD.
Thus, the reader of the XRD will be pretty sure that this XRD was 
authoritative at least at the time of it being signed as long as the 
reader knows how to verify the cert. In some countires in EU, we could 
use the Citizen ID in the cert as SubjectID.

The Austrian Citizen Cert is interesting and complex in a way that it 
does not include the Citizen ID and to link the Citizen ID to the cert, 
you need "Identity Link" XML file.So, here, we have several options: 1) 
Use the concatinated Subject as the Subject, 2) User the public key as 
Subject, and possibly, 3) generate ssPIN from the Identity Link and use 
it as Subject (I need to study the Identity Link a bit more for this 
option.) .

So, yes, you could sign anyone's XRD with that Citizen Card, but the 
Cert/Subject does not match XRD/Subject so it fails the verification. In 
this construct, you can only sign your XRD to make a valid signed XRD.

Regards,

=nat

Markus Sabadello wrote:
> Actually, I could sign anyone's XRD with that Citizen Card, so I guess 
> this doesn't really prove it's the XRD of MY i-name, right? But I'm 
> sure this is interesting in some way.
>
> Nat, what again was the idea behind doing this? :)
>
> Markus
>
> On Sat, Feb 14, 2009 at 8:39 AM, Markus Sabadello 
> <markus.sabadello@xdi.org <mailto:markus.sabadello@xdi.org>> wrote:
>
>     Hello,
>
>     In Austria we have something called Citizen Card, which is
>     basically a government verified certificate put onto a physical
>     card which you can use for e-government and other tasks.
>
>     Today I tried signing my i-name's XRD with that Citizen Card, find
>     attached the result. I'm also attaching the certificate as a
>     separate file.
>     The normal, non-signed XRD is
>     http://xri.net/=markus.sabadello?_xrd_r=application/xrd+xml;sep=false;debug=1
>
>     So assuming you trust the Austrian government, you can now be
>     quite sure that =markus.sabadello is really my i-name.
>
>     Thanks to Nat for the idea!
>
>     Markus
>
>


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]