On reinventing PKI from Pelle Braendgaard on 2012-01-12 (public-webpayments@w3.org from January 2012)

From: Pelle Braendgaard <pelle@stakeventures.com>
Date: Thu, 12 Jan 2012 13:00:52 -0500
To: Web Payments <public-webpayments@w3.org>, opentransact@googlegroups.com
Message-ID: <CAHtLsUVGM83dEpiDPQiMFCxf_4OUcZYmD-jsqRzeat7mzXJ8iA@mail.gmail.com>

Manu,
You say:

A new form of PKI has not been invented for PaySwarm. It uses the industry
> standard for both encryption and digital signatures – AES and RSA. The PKI
> methods are clearly laid out in the specification and have been settled for
> quite a while, not a single person has mentioned that they want to use a
> different set of PKI methods or implementations, nor have they raised any
> technical issues related to the PKI portion of the specification.
>
> Pelle might be referring to how PaySwarm specifies how to register public
> keys on the Web, but if he is, there is very little difference between that
> and having to manage OAuth 2 tokens, which is a requirement imposed on
> developers by the OpenTransact specification.
>
A PKI is not signing nor encryption. It is the infrastructure used to
manage the keys. It is notoriously complex and many different PKI's have
been created and attempted.

http://en.wikipedia.org/wiki/Public_key_infrastructure

This is the link to the PaySwarm PKI:

http://payswarm.com/specs/source/web-api/#vendor-registration

It appears your PKI has:

- registration
- http based public key lookup

If you believe that digital signatures are sacrosanct you need many
different things to create an effective PKI:

- Who does the key belong to?
- How can we revoke it?
- How do we auto expire it?
- When we create a new cert are our old receipts still valid?
- I lost the private key what do I do

This does not belong in a payment standard.

I would be willing to help create a new simple web based PKI based on what
is in PaySwarm. But it just does not belong in neither PaySwarm nor
OpenTransact spec itself.

The oauth2 http mac authentication scheme could easily be extended to use
RSA on top of such a simple standard.

http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-00

Unless I'm missing it the single most important part of OAuth2 that has not
been implemented in PaySwarm is delegation. How do I connect to a PaySwarm
authority from a mobile app or a new kind of application such as crowd
funding without handing them my private key?

Pelle
-- 
http://picomoney.com - Like money, just smaller
http://stakeventures.com - My blog about startups and agile banking

Received on Thursday, 12 January 2012 18:01:28 UTC