Dick Hardt wrote: > On 19-Jan-06, at 5:27 AM, Ben Laurie wrote: > >> John Merrells wrote: >>> An identity information exchange should involve just three parties: the >>> user, their agent, and a relying party. The user’s agent is where they >>> authenticate themselves and a repository where they store their identity >>> information, and the relying party is an entity requesting identity >>> information. >> >> This seems overly prescriptive. In particular, it would appear to >> exclude any kind of temporary certificate. It also excludes proxies. Oh, >> and the case where authentication occurs elsewhere. > > Hey Ben, would you take the time to write up simple use cases for your > three points so that we (or at least I) can understand them?
Temporary certificate This is to satisfy the minimality requirement. User has cert including date of birth, say, and wants to prove he's over 21. So, he (or his agent) shows the cert to some CA that produces a temporary cert for him saying he's over 21, which he or his agent then shows to the relying party. Note that this only half gets you unlinkability if the certs are anything conventional because the CA can link the permanent and temporary certs. The CA is, of course, a fourth party in the transaction. Proxy Not sure exactly what to say about this, except that a proxy could sit between any of these parties, and the language above assumes that it can do so both transparently and securely. Which may not be so (that is, it may have to be non-transparent to remain secure) if it adds functionality, like caching, or anonymising. Authentication Elsewhere It may turn out that for whatever reason I have to use multiple agents, so I'd like to authenticate them via my meta-agent. Unlinkably. Cheers, Ben. -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
