Consent to Create Binding
Full Title
The definition of a message to carry consent from a subject to a Credential Service Provider.
Context
In an environment where a subject is requesting the establishment of a binding between it's private key and a Provider of any identifier services, the implicit assumption has been that the action of the subject on the website is sufficient. In today's world of gathering a subject's most private information some better means of capturing subject consent is urgently needed.
Existing Methods
- While it is true that methods exist for individual subjects to acquire a certificate for signing emails and receiving encrypted email, the adoption of that method outside of th enterprise is essentially failed and will not be considered as a paradigm for this effort.
- The most common request today is for an SSL or EV certificate from a Certificate Authority (CA) which works reasonably well for what it is intended to do. While it is possible to set up a CA of your own, we will address the more common case of a CA that has been approved by the major browser vendors. Before the process begins the user selects a Distinguished Name for the site based on the rules established by the CA/B forum.
Credential Service Provider
Problems
Prevention of attacks (exploits)
Solution
The following is the current understanding of what needs to be included in a Consent for Binding Request.
Subject
MANDITORY - this is the identifier from the user that will be the subject of the binding, the the DN of the X.509 certificate. Whether this subject identifier is to be bound to a real world entity (like a human being) is to be determined by the purposes to which the resulting entity statement will be put.
Entity Statement
NOT PART OF REQUEST - this is the message returned by the CSP after the process has been completed. It is then made available to any legitimate request.
Subject
Subject
Subject
Subject
Subject
Subject
Subject