How we did it in XRI

[=markus]

Hi,

I think one of the options that was being discussed was to put the
public key into an XRD.

Here you can see an example of how we did this with XRI:
http://xri.net/=markus?_xrd_r=application/xrd+xml;sep=false;debug=1

You'll see that there's a ds:KeyInfo in one of the <Service>s, and the
service type we used was xri://$certificate*($x.509).

I think the consensus we had during the IIW session was that we should
have a registered Rel type, e.g. "keyinfo".

Markus

[Brian Eaton]

On Thu, Nov 5, 2009 at 9:22 PM, =markus <markus.s...@gmail.com> wrote:
> You'll see that there's a ds:KeyInfo in one of the <Service>s, and the
> service type we used was xri://$certificate*($x.509).

What do you think of this spec?

http://www.w3.org/TR/xmldsig-core/#sec-X509Data

Cheers,
Brian

[Mason Lee]

I'd suggest letting someone close to the link registry process choose
for us between "key-info" and "keyinfo". I see more examples of
hyphenating words in rel values than cramming together words
("describedby" being the singular exception I found). The XML dsig
spec treats key info as two words in "ds:KeyInfo" rather than
"ds:Keyinfo", and it might be nice to match.

Cheers,
Mason

[Markus Sabadello]

I don't know that spec in detail, but it seems the ds:KeyInfo/ds:X509Data/ds:X509Certificate pattern is exactly what we need for public key discovery (oauth, xri/xdi, etc...), right? Maybe other ds: elements could be useful too, don't know..

The one element we probably don't need is ds:RetrievalMethod, which is for getting keys from an external location. For that purpose we already have xrd:URI I think :)

Markus

[Brian Eaton]

On Fri, Nov 6, 2009 at 11:23 AM, Markus Sabadello
<markus.s...@gmail.com> wrote:
> I don't know that spec in detail, but it seems the
> ds:KeyInfo/ds:X509Data/ds:X509Certificate pattern is exactly what we need
> for public key discovery (oauth, xri/xdi, etc...), right? Maybe other ds:
> elements could be useful too, don't know..

Yep.

The feeling I'm getting is that the XRI/XDI use cases and the OAuth
use cases are really, really different, but can leverage the same
public key formats and distribution systems.

[John Panzer]

The http://www.w3.org/TR/xmldsig-core/#sec-X509Data almost certainly
covers the use cases I can think of for OAuth & Salmon, and probably a
lot more. It does assume familiarity with a lot of external specs and
standards. If nothing else, it would be really good to see examples of
how this would work (actual XML) for various use cases. And, is the
handling simple enough to code up de novo, or are are there existing
libraries for all platforms that get the underlying semantics right?

The use cases I can think of are:

1. I want to retrieve the public key (possibly self-signed) for {uri}
2. I want to see the past public keys used by {uri}, with timeframes
indicating when keys were valid.
3. I want to be able to have different public keys for different
purposes (I think this is handled with multiple link relations).
4. I want to be able to revoke keys and publish that fact. Aside:
There should be a way to talk about "public key A" vs. "public key B"
so I can broadcast things like "I just revoked my public key A"

These are approximately in priority order :)

On Nov 6, 2:54 pm, Brian Eaton <bea...@google.com> wrote:
> On Fri, Nov 6, 2009 at 11:23 AM, Markus Sabadello
>