RE: [xri] subject sets (also sort of: Agenda for August 6, 2009call)

[Eran Hammer-Lahav <eran@hueniverse.com>]

> -----Original Message-----
> From: Scott Cantor [mailto:cantor.2@osu.edu]
> Sent: Friday, August 07, 2009 10:13 AM

> And why do I have to sign with a certificate containing the same
> "authority"? What if I want a third party to sign it?
>
> This is not something I understood to be an assumption of XRD. The
> subject
> of a certificate is only *that*. It's about the entity possessing the
> key.
> That should be orthogonal to the XRD Subject.
> 
> What I'm trying to say is that "PKI trust model" means nothing more or
> less
> than "I have a model for establishing a relationship between the XRD
> signer
> and the XRD subject, and a way to establish the validity of the
> signer's
> key". I don't think it's right to bake more into it than that.

We need a simple way to verify the association between the Subject of the XRD and the certificate used to sign it. The requirement we have is to have a way to guarantee that the same entity which controls the domain name in the Subject, controls the certificate as well, and signed the XRD.

You can sign an XRD using anything, but our focus has been on the resource owner being able to describe the resource (Subject) and sign it in a way that a client can confirm that it was really the resource owner who described it. Since we are dealing with many limitations, we decided to limit this to the authority level (which is defined in 3896).

EHL