OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xri] Summary on trust/KeyInfo issues


xrd/link/ds:KeyInfo: has the public key of the Subject of the linked XRD. The linked XRD will be signed by the private key that corresponds to this public key, users can verify that the link is actually an inteded one.


Shouldn't this be the public key of the signatory of the linked XRD and not the public key of the Subject of the linked XRD.  They are not the same in all cases.

Discussion Points

  1. Do we really need KeyDescriptor?
Don't we need that to support multiple keys for rotation, signing vs encryption.
Perhaps different types of keys RSA, DSA for different apps.
Having a single public key for the subject will cause griping in short order I think.
  1. Do we really need xrd/link/Subject? Would not xrd/link/uri suffice?
The URI that you use to discover the XRD is not necessarily the subject of the XRD

John B.

On 23-Jul-09, at 2:39 AM, Nat Sakimura wrote:


Summing up the discussion, current xrd proposal is looking like this.(Am I right?)

<xrd>    <Subject set="beginswith">...</Subject>    <Alias>...</Alias>    <KeyDescriptor use="*">        <ds:KeyInfo>           ...        </ds:KeyInfo>    </KeyDescriptor>    <ds:Signature>        <ds:KeyInfo>           ...        </ds:KeyInfo>    </ds:Signature>    <link>        <rel>...</rel>        <uri>...</uri>        <Subject>...</Subject>        <ds:KeyInfo>           ...        </ds:KeyInfo>    </link> </xrd> 

Description

xrd/Subject : Type=URI. Subject Identifier or portion of Subject Identifier. CanonicalID in XRDS.

xrd/Subject/@set : (Option) Can specify “beginswith” to signify that the URI is only partial and beginswith the string.

xrd/Alias: Alias URI for the Subject.

xrd/KeyDescriptor: Wrapper element for ds:KeyInfo for the Subject.

xrd/KeyDescriptor/@use : Specify the usage of the KeyInfo, e.g., Signature, Encription, etc.

xrd/ds:Signature: Expresses the Signatory and the Signature over this XRD.

xrd/link: Shows the relationship that this Subject perceives against other subject.

xrd/link/Subjct: the Subject of the linked XRD.
xrd/link/ds:KeyInfo: has the public key of the Subject of the linked XRD. The linked XRD will be signed by the private key that corresponds to this public key, users can verify that the link is actually an inteded one.

Discussion Points

  1. Do we really need KeyDescriptor?
  2. Do we really need xrd/link/Subject? Would not xrd/link/uri suffice?


Scott Cantor wrote:
Nat Sakimura wrote on 2009-07-17:
  
In today's con-call, I think there were three types of keys to be
expressed in XRD.

(1) Key of the Subject
(2) Key of the Signatory
(3) Key of the linked XRD.
    

Right. I just needed to clarify which key (3) was referencing.

  
[1] Needs to be explicit...is it the signer of the linked XRD whose key
      
is
  
being expressed in the link or the *subject* of the linked XRD?

      
I think it should be the signer (signatory).
    

That's fine, I just wanted to make sure we were clear on it.

  
Perhaps we can express both Key and Subject in the link, so that it will
look like:
    

Doesn't seem like a problem to combine the two features to me.

-- Scott


  



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]