- From: Nico Williams <nico@cryptonector.com>
- Date: Wed, 15 Jun 2011 12:00:30 -0500
- To: Anders Rundgren <anders.rundgren@telia.com>
- Cc: Yutaka OIWA <y.oiwa@aist.go.jp>, "KIHARA, Boku" <bkihara.l@gmail.com>, public-identity@w3.org, pgut001@cs.auckland.ac.nz
On Wed, Jun 15, 2011 at 11:51 AM, Anders Rundgren <anders.rundgren@telia.com> wrote: >>> Regarding mutual authentication, it would be piece of cake adding an X.509 >>> extension containing sites/domains that the issuer grants usage with. >> >> AFAICT, adding extensions to PKIX is never a piece of cake. And >> anyways, there's already naming constraints for PKIX (if that's what >> you meant). > > I meant something similar to what you outlined above but stuffed in > the *client* certificate. Ah, an extension for helping the client select credentials... But that seems like a local-only feature because you'd have to rely on RPs looking for client misuse of certs, and it seems too late to do that by the time the client has signed something with their key and sent it. I don't think it will help all that much unless you have a user cert per-RP, and then you might as well just have RP-only certs all the way (which requires a cert registration or else certification protocol). Nico --
Received on Wednesday, 15 June 2011 17:00:55 UTC