[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xri] Minutes: XRI TC Telecon 2-3PM PT Thursday 2009-12-17
Will Norris wrote on 2009-12-17: > (We then had a lengthy discussion about the approaches to XRD trust, mainly > between Breno and Scott. There are a few holes, but I think I captured most > of it:) Pretty well, I wasn't as focused as I should have been, long day of meetings and local politics. My rants about the uselessness of PKI can be safely ignored, the world will either continue down that rathole or not, but that's not our problem here. Let me try and summarize what I think was basically agreed about, and Breno can correct me... We do a base profile that essentially requires the signing certificate and the XRD Subject to "match", where that implies TLS matching rules (favor URI or DNS subjectAltName, allow CN). In the DNS case, the matching only applies to Subject URIs that can be mapped to an http(s) URI. The profile doesn't call out any use of X.509 extensions to allow or disallow such signing (but other profiles may). It also doesn't call out the certificate validation process (but other profiles may). It also doesn't call out any transport-related requirements for the acquisition of the XRD, but may note that risks exist if insecure transports are used. (Note that this means the XRD could be signed by a different certificate than the TLS certificate one might encounter when obtaining it.) It is, in other words, name matching and that's about it. But it can be implemented by an XRD library with the signing certificate/chain exposed for consumption by profiles layered on top of this one. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]