Key Discovery

I'm trying to follow the discussions but I find myself lost here.

This is my take on the subject:

Domain-bound keys
For domain-bound keys the scope is restricted to the keys that the Issuer/RP created.
An opaque domain-local KeyID should be sufficient.
Domain-bound keys should (at least in my mind) be constrained to a specific client-defined container.
The need for UI selection seems limited.  If the Issuer/RP can's keep track on its own operations it would be wrong to let the user take this burden.

Non-bound keys
Non-bound keys need a combination of UI selection and filter parameters.
For UI-selections you also need key pinning.
Key look-up API functions are likely to create privacy issues.

Algorithm filtering
If you have no idea what the keys the client has you have a problem.
Algorithm filtering doesn't seem to be the right "cure".

SKS additions for non-bound keys
All keys must have an X.509 certificate as ID regardless if it is a PKI key or not.
Keys should be fitted with logotypes to make UI selections easier.


Received on Saturday, 28 July 2012 18:53:04 UTC