[OpenID board] upcoming Google announcement regarding OpenID
Will Norris
will at willnorris.com
Fri Jul 10 16:28:46 UTC 2009
On Jul 9, 2009, at 8:44 PM, Santosh Rajan wrote:
> Are you kidding? XRI TC hasnt even figured how to sign an XRD
> document. XML
> DSig has been around for 11 years and it cant reliably sign an XML
> document?
> Why don't XRI TC come out with a simple XRD draft as soon as
> possible and
> relieve everyone from all this pain. IS the XRI TC waiting for the
> cows to
> come home?
You're welcome to track the progress of XRD in the OASIS svn
repository[0]. There is only a docbook version there, we don't have
the HTML versions in subversion... unfortunately the OASIS document
repository requires authentication.
[0]: http://tools.oasis-open.org/version-control/svn/xri/xrd/1.0/trunk/
While this is not really the best place to talk about XRD specifics,
I'll address your point about signatures to say that XRD is in fact
using XML DSig for signing. More accurately, we're using a
constrained profile of DSig using Exclusive Canonicalization that
should be much easier to implement than full inclusive c14n. This is
the same approach taken in SAML 2.0.
One of my personal qualms with Google's recommended discovery
extension is that it significantly differs from XRD in this (they are
using their own signing method instead of traditional DSig) and other
ways , while being strikingly similar in others. I believe this will
lead to unnecessary confusion. To be clear, my opposition to a
foundation endorsement of this is not based on the merits of the
proposed protocol (aside from some specific language I've already
pointed out)... the XRI TC is the correct place to debate that.
Rather, my opposition is based on my belief that widespread adoption
of the proposed protocol will confuse, and possibly fragment, the
community if XRD does end up being the solution for OpenID discovery
in the not-too-distant future.
On Jul 9, 2009, at 5:10 PM, Eric Sachs wrote:
> We haven't formally announced it yet :-) We keep delaying
> internally, but
> at some point we'll have to launch it and I would be surprised if we
> can
> hold off for longer then a few weeks given how many months we have
> already
> delayed. But when the drafts get finalized, we're hoping to support
> it
> within a small number of days and remove documentation for the
> proof-of-concept approach. The partners we have already worked with
> have
> read the warnings in our documentation that we will be switching the
> discovery mechanism once the standards gets solidified, so they are
> prepared
> to have to make that change on their side.
This sounds great, it's good to know that you plan on migrating to XRD
in a timely fashion when it is ready. I don't mean to discount the
contributions Google has made to the community both in helping to
develop and implement these standards. And if you need to go forward
with a temporary solution in the meantime in order to satisfy existing
customers, that's perfectly fine. I understand that Google is free to
move forward with whatever is necessary for your business, I'm not
suggesting otherwise. But if the work is being done with specific
partners, I'm not sure why that necessitates a public announcement
including endorsement from the foundation. Is it not sufficient to
point implementors to the Google document on an individual basis,
which is what I would assume you've been doing thus far? You're
absolutely right that a public announcement would likely lead at least
some in the community and the press to interpret this move as Google
trying to co-opt OpenID. But I'm not sure that the foundation
publicly supporting the move is the right solution to that problem.
I think my particular horse is pretty well dead enough already, so
I'll shut up for now. I've said my piece... it is of course the
board's decision to make.
-will
More information about the board
mailing list