Thursday, April 5, 2007, 5:43:02 AM, you wrote:


DO> How these keys are handled internally could be left to the
DO> consumer or RP.


This sounds like another *strong* use-case for updating the OpenID
protocol to allow transactions to take place when the user is not

I am not likely to be present when people relying upon my certificates
choose to verify signatures, check for revocation, or attempt to
encrypt stuff destined for me.

There needs to be a way for the RP to contact my OP and get access to
my information (eg: my current public key and revocation list) - by my
explicit prior consent of course. 

I believe it's entirely unreasonable, and privacy-invasive, and
identity-theft-dangering, to expect every RP out there to have to
cache a copy of all my credentials, and for me or my OP to have to
propagate any changes/updates/addition etc out to them all.  Keeping
all my info in one place solves this - only if the RPs can get what
they want, *when* they want, which can't be done without
server-to-server means.


specs mailing list

Reply via email to