On 8 Feb 2012, at 17:36 , Stephen Kent wrote: > In the physical world we recognize that certain > entities are authoritative for identifying people > or orgs. These entities issue credentials to > people and orgs, and these credentials are > accepted for identification and/or authorization > purposes, in selected contexts. If a CA issues > certs with IDs for which the CA is authoritative, > it mimics the real world model, and that's > generally good. In many of the federation > examples with which I am familiar, there is too > much reliance on parties to vouch for identities > in a nonauthoritative fashion. This is not a > problem for all such systems, but for many.
I won't argue your point, but let me insist that is rather a matter of common practices in identity vetting than of the architectures or technologies themselves. CAs can as lax as the sloppiest federated identity provider, and conversely a federation can require its participating identity providers to apply procedures as strict as the ones used by top-level CAs. Be goode, -- "Esta vez no fallaremos, Doctor Infierno" Dr Diego R. Lopez Telefonica I+D http://people.tid.es/diego.lopez/ e-mail: [email protected] Tel: +34 913 129 041 Mobile: +34 682 051 091 ----------------------------------------- Este mensaje se dirige exclusivamente a su destinatario. Puede consultar nuestra política de envío y recepción de correo electrónico en el enlace situado más abajo. This message is intended exclusively for its addressee. We only send and receive email on the basis of the terms set out at http://www.tid.es/ES/PAGINAS/disclaimer.aspx _______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
