On 4-Apr-07, at 8:59 PM, Chris Drake wrote: > Thursday, April 5, 2007, 5:43:02 AM, you wrote: > > [snip] > > DO> How these keys are handled internally could be left to the > DO> consumer or RP. > > [snip] > > This sounds like another *strong* use-case for updating the OpenID > protocol to allow transactions to take place when the user is not > present. > > I am not likely to be present when people relying upon my certificates > choose to verify signatures, check for revocation, or attempt to > encrypt stuff destined for me. > > There needs to be a way for the RP to contact my OP and get access to > my information (eg: my current public key and revocation list) - by my > explicit prior consent of course.
Having your public key discoverable at your URL makes lots of sense, it is by its very nature, public. I would not consider fetching the public key to be a transaction though. -- Dick _______________________________________________ specs mailing list [email protected] http://openid.net/mailman/listinfo/specs
