Re: [xri] XRD trusted discovery workflow

[Brian Eaton <beaton@google.com>]

Yes, I agree this is the province of the trust workflow, and I agree
it should be the naming authority that does the assignment.

Where I get confused is where the naming authority is also a CA, since
those are different entities in OpenID today.

On Thu, Dec 11, 2008 at 3:13 PM, Sakimura Nat <n-sakimura@nri.co.jp> wrote:
> Till yesterday, I had an impression that the Trust Wrokflow was trying to achive it.
>
> Generally speaking, it should be the naming authority that does this.
> That is, if it were http://example.com/alice and http://example.com/bob , then it should be example.com that signs this.
>
> If Trust Worlflow does not cover this issue, then we have to create another proposal on it, though it is not essential for usecases like OpenID, where the authentication should happen over CID. Under this scinario, even if the mapping from an identity uri to XRD was insecure, the end result will not change. The attacker will be able to log in only with his CID.
>
> =nat
>
> ________________________________________
> 差出人: Brian Eaton [beaton@google.com]
> 送信日時: 2008年12月12日 7:19
> 宛先: Sakimura Nat
> CC: Dirk Balfanz; xri@lists.oasis-open.org
> 件名: Re: [xri] XRD trusted discovery workflow
>
> On Thu, Dec 11, 2008 at 2:11 PM, Sakimura Nat <n-sakimura@nri.co.jp> wrote:
>> It is authoritative to the CID. For OpenID use case, that would be enough.
>>
>> There has to be another document that links URI to CID, similarly signed if we need the
>> authenticity of the synonims.
>
> Yes, that's what I'm asking about.  Who does that binding, where does it happen?
>