- From: David Chadwick <d.w.chadwick@kent.ac.uk>
- Date: Sun, 22 Nov 2015 16:10:28 +0000
- To: Anders Rundgren <anders.rundgren.net@gmail.com>, public-credentials@w3.org
Hi Anders On 22/11/2015 14:05, Anders Rundgren wrote: > On 2015-11-22 14:58, David Chadwick wrote: >>> >>> This is the core part from the NASCAR perspective. >>> As far as I understand this information is currently not available to >>> SPs. >>> >> >> Sorry my answer was ambiguous/unclear. The user is identified to the >> Issuer by the SOP key associated with the issuer. > > OK. > >> The user is identified >> to the consumer by the SOP key associated with the consumer. > > So now there are two keys belonging to the user, right? The user has dozens of keys, one for each web site he authenticates to. SOP ensures that each private key is only used to sign messages to the original site that the public key was first sent to. > > >> The user sends the consumer SOP public key to the issuer and the issuer >> assigns the attribute to that. > > I think you lost me here, at least with respect to the NASCAR problem. This is because the user does not go to any third party to authenticate to a site. A new key pair is generated for the site, and this authenticates the user each time he calls. Note however that FIDO does not provide any identity or authz information, just an authn key, which is why we need to add this functionality using issuers. > > >> The issuer has no idea who the consumer >> is since this key is unique to the user. But the consumer knows the user >> possesses the attribute since the assertion is signed by the issuer, and >> the attribute is attached to its SOP key. > > I this protocol described somewhere? In a paper I have written for IFIP Sec, to be submitted in January David > > Anders > >> >> regards >> >> David >> >>> >>> Anders >>> > >
Received on Sunday, 22 November 2015 16:10:33 UTC