348
edits
Labs/Identity/VerifiedEmailProtocol: Difference between revisions
Jump to navigation
Jump to search
m
Labs/Identity/VerifiedEmailProtocol (view source)
Revision as of 17:06, 25 March 2011
, 25 March 2011→Certification: formatting
m (→Verification Services: fix heading) |
m (→Certification: formatting) |
||
| Line 182: | Line 182: | ||
When the user agent provides a verifiedEmail to a relying party, the certificate is included with the identity assertion: | When the user agent provides a verifiedEmail to a relying party, the certificate is included with the identity assertion: | ||
<pre>{ | <pre>{ | ||
audience: "destination.com", | audience: "destination.com", | ||
valid-until: <format TBD>, | valid-until: <format TBD>, | ||
email: "alice@mailhost.com" | email: "alice@mailhost.com" | ||
certificate: { | certificate: { | ||
email: "alice@mailhost.com", | email: "alice@mailhost.com", | ||
public-key: <alices-public-key>, | public-key: <alices-public-key>, | ||
valid-until: <format TBD>, | valid-until: <format TBD>, | ||
}-signed-with-mailhost.com-key | }-signed-with-mailhost.com-key | ||
}</pre> | }</pre> | ||
The relying party, when it sees that a certificate is present, may choose to skip the retrieval of the user's public key by instead verifying the certificate. That flow would be: | The relying party, when it sees that a certificate is present, may choose to skip the retrieval of the user's public key by instead verifying the certificate. That flow would be: | ||
# Resolve a site-level public key for the issuer by performing host discovery on the email in the certificate (for example, by performing an RFC XX "well-known" lookup on an HTTPS server) | |||
# Verify the signature on the certificate using the public key | |||
If the certificate is verified, the relying party can proceed with identity assertion verification using the public key contained in the certificate. The public key for the host can be cached or distributed out-of-band; there is no requirement for the relying party to communicate with the issuing authority directly at all. | If the certificate is verified, the relying party can proceed with identity assertion verification using the public key contained in the certificate. The public key for the host can be cached or distributed out-of-band; there is no requirement for the relying party to communicate with the issuing authority directly at all. | ||