RE: [xri] Minutes: XRI TC Telecon 2-3PM PT Thursday 2009-07-16

["Scott Cantor" <cantor.2@osu.edu>]

Markus Sabadello wrote on 2009-07-20:
> I assume that the "ds:KeyInfo at the XRD level" idea will be the mechanism
> of choice for XRI-based applications such as XDI messaging.
> I.e. when =markus sends a signed XDI message to =drummond, the signature
can
> be verified by discovering =markus' key from his XRD.

If you want to use a signed XRD as the moral equivalent of a certificate,
then yeah, that's pretty much the issue.

> From an XRI perspective I think it makes total sense to have the "key info
> of the XRD Subject" at the XRD level.

Spec-wise, what's needed is a determination as to the scope of use cases to
meet.

In SAML metadata, the delta between "KeyInfo" and what was specified was the
ability to have multiple keys (easily met by making KeyInfo unbounded), to
delineate specific keys for the purposes of signing (incl. TLS) and
encryption, and to add some fairly non-well-thought-out bits for encryption
algorithm support.

The delta here may be less, the same, or more. I'm not really equipped to
answer that. Something SAML should have done but didn't is make the
KeyDescriptor wrapper more extensible. Having something to use later and
just leave relatively empty for now is probably the best compromise.

-- Scott