Re: [xri] Minutes: XRI TC Telecon 2-3PM PT Thursday 2009-07-16

[Nat Sakimura <n-sakimura@nri.co.jp>]

Scott Cantor wrote:

Markus Sabadello wrote on 2009-07-20:
  

I assume that the "ds:KeyInfo at the XRD level" idea will be the mechanism
of choice for XRI-based applications such as XDI messaging.
I.e. when =markus sends a signed XDI message to =drummond, the signature
    

can
  

be verified by discovering =markus' key from his XRD.
    

If you want to use a signed XRD as the moral equivalent of a certificate,
then yeah, that's pretty much the issue.

  

From an XRI perspective I think it makes total sense to have the "key info
of the XRD Subject" at the XRD level.
    

Spec-wise, what's needed is a determination as to the scope of use cases to
meet.

In SAML metadata, the delta between "KeyInfo" and what was specified was the
ability to have multiple keys (easily met by making KeyInfo unbounded), to
  

I suppose it is required for key rotation purposes.

delineate specific keys for the purposes of signing (incl. TLS) and
encryption, and to add some fairly non-well-thought-out bits for encryption
algorithm support.
  

Looks like being able to specify signing key, authentication key, encryption key separately is the fave of some of the security experts. If we take that position, then we would need something like saml:KeyDescriptor. Perhaps we can just borrow the text or reference it. 

The delta here may be less, the same, or more. I'm not really equipped to
answer that. Something SAML should have done but didn't is make the
KeyDescriptor wrapper more extensible. Having something to use later and
just leave relatively empty for now is probably the best compromise.

-- Scott



---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php