RE: [xri] CanonicalID in XrdOne/TrustWorkflowByExample

[Sakimura Nat <n-sakimura@nri.co.jp>]

beaton@google.com wrote:
> I don't understand this proposal at all.  Certificate Authorities
> don't assign URIs.  They issue certs.  Can you explain what you mean
> about CA responsibility to prevent reassignment of URIs?

No. They do not assign URIs.

But I am not talking about normal URI or Domain name here.

What I am talking about is a unique string that identifies the Subject, which happens to be an abstract cool uri.
Domain can be reassigned, but this unique string must not be reassigned to another subject.
If we hinge upon a usual domain name / uri, we may end up with another entity than a previously transacted entity. This is a.k.a. identifire recycling problem in OpenID. Currently, in OpenID AuthN 2.0, it is the job of the OP to keep this string unique, but it does not work with delegation nor the case when OP went out of business etc. That's why I am proposing to move this task to CA.
It is a regular job of a CA to do this "identification" and keep record of it. Then, why not levarage on it?
I think it is a reasonable thing to do.

If the example being in a uri format confuses you, you could just replace it with something like uuid, or i-number.

=nat

________________________________________
差出人: Brian Eaton [beaton@google.com]
送信日時: 2008年12月11日 6:30
宛先: Sakimura Nat
CC: XRI TC
件名: Re: [xri] CanonicalID in XrdOne/TrustWorkflowByExample

Hi Nat -

On Tue, Dec 9, 2008 at 11:22 PM, Nat Sakimura <n-sakimura@nri.co.jp> wrote:
> I am breaking up the threads into relevant topics.
>
> I think the CanonicalID should be a Cool URI (or persistent XRI), and
> not just a regular URI (Domain name).
> It is the CA's reponsibility that this Cool URI will never be reassigned
> to another Subject.

I don't understand this proposal at all.  Certificate Authorities
don't assign URIs.  They issue certs.  Can you explain what you mean
about CA responsibility to prevent reassignment of URIs?