RE: [xri] subject sets (also sort of: Agenda for August 6, 2009 call)

["Scott Cantor" <cantor.2@osu.edu>]

John Bradley wrote on 2009-08-09:
> XRD needs to specify how XRD's are signed from a XML perspective.
> 
> However the XRD spec should not be mandating the relationships between
> the the signatures and the subject.

Right. I also understood that there were some specific linking elements
designed to express constraints on the result of the link, and that's fine,
as long as they're also suitable abstracted from specific approaches. This
was all discussed in the thread(s) on the trust models to support, wherein I
suggested that the core spec leave it at "requiring correspondence" between
particular elements and that a specific method or two for matching (e.g.
comparing public keys) be defined as a useful (and maybe MTI) profile.

> I think Scott and I are just saying that the core XRD spec should not
> preclude other trust models.
> 
> I think Scott was suggesting keeping the core spec generic and
> producing profiles for the different use cases.   Somewhat like SAML.

Yes. Needless to say, I think that's the proper way to layer a spec like
this.

> The fine points of requiring RSA vs ECDSA, SHA1 vs SHA256 Keyinfo vs
> KeyData ,  as well as what needs to be verified and how need to be in
> a doc with a conformance requirement.

Right. Usually conformance deals with profiles, and then includes rules
about MTI algorithms and such, but the division of labor there is relatively
arbitrary.

I think that's all just another way of saying that we should define a very
minimal set of things around trust for now, and then leave the rest to
profiles.

I'm also willing to help write some of this text, but was waiting on this
subject matching stuff to stablize before I tried to help Will with the
rest.

-- Scott