[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: The elements formerly known as TargetAuthority and TargetSubject
Talked with Drummond just now to understand this subject.
Here is the summary.
Let there be two XRDs, XRD1 and XRD2.
XRD1 delegates some functionality to XRD2 through Link relationship.
There are two steps in the trust establishment.
1. Root XRD Trust
2. Delegation
1. Root XRD Trust
The starting XRD, in this case, XRD1 MUST be signed in such a way
that
Case A) : A Priori Known Trust
The community in question knows an a priori known DSA public key value,
I.e.,
XRD/ds:KeyInfo/ds:KeyValue/ds:DSAKeyValue
Case B) : Third Party X.509 Certificate
In this case, XRD/ds:KeyInfo/X509Data/ must somehow related to
XRD/Subject.
<<<< This needs to be defined!
One proposal is that CN of the certificate is a substring
of the Subject. e.g, CN of the Certs = example.com OR
SubjectAltName includes example.com, etc.
<<<< In OpenID Case, especially in XRI case, this may be too weak.
http://xri.net/ is not authoritative on http://xri.net/=sakimura.
Perhaps we should require one of SubjectAltName match the
XRD/Subject ?
2. Delegation
For delegation, besides XRD2's integrity is ok as in 1. above,
Case A) If XRD1/Link has Subject,
XRD1/Link/Subject MUST match XRD2/Subject
Case B) Else
XRD1/Link/ds:KeyInfo == XRD2/ds:KeyInfo
<<<< OR shall we just say that
pub key in the XRD1/Link/ds:KeyInfo
== pub key in the XRD2/ds:KeyInfo ?
=nat
--------------------------------------------------
From: "Drummond Reed" <drummond.reed@cordance.net>
Sent: Wednesday, July 01, 2009 1:10 PM
To: "Sakimura Nat" <n-sakimura@nri.co.jp>; "'Breno de Medeiros'"
<breno@google.com>; "'XRI TC'" <xri@lists.oasis-open.org>
Subject: The elements formerly known as TargetAuthority and TargetSubject
> I finished the promised wiki page and posted it to:
>
> http://wiki.oasis-open.org/xri/XrdOne/TrustElements
>
> As always, doing a full writeup of the functional definitions of the
> elements shed surprising light on both of them. In fact it led to a very
> unexpected conclusion about their respective names, which I guarantee will
> surprise you.
>
> Please read it over and post your thoughts -- the sooner the better, as
> this
> is clearly an issue we must close before we are ready for a Committee
> Draft.
>
> =Drummond
>
>> -----Original Message-----
>> From: Drummond Reed [mailto:drummond.reed@cordance.net]
>> Sent: Tuesday, June 30, 2009 12:10 PM
>> To: 'Nat Sakimura'; 'Breno de Medeiros'; 'XRI TC'
>> Subject: RE: [xri] TargetAuthority and TargetSubject
>>
>> I had an action item from the last telecon to send a proposal wrt the
>> element name TargetAuthority too.
>>
>> I have found that when it comes to the semantics of XML element names, it
>> is
>> best to try to derive the semantic name on the basis of a shared
>> functional
>> definitions and not the other way around.
>>
>> I have started drafting a wiki page to do this but need to head out to a
>> series of meetings this afternoon - I'll post the page as soon as I get
>> back.
>>
>> =Drummond
>
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]