[OpenID board] upcoming Google announcement regarding OpenID

Will Norris will at willnorris.com
Fri Jul 10 16:28:46 UTC 2009

On Jul 9, 2009, at 8:44 PM, Santosh Rajan wrote:

> Are you kidding? XRI TC hasnt even figured how to sign an XRD  
> document. XML
> DSig has been around for 11 years and it cant reliably sign an XML  
> document?
> Why don't XRI TC come out with a simple XRD draft as soon as  
> possible and
> relieve everyone from all this pain. IS the XRI TC waiting for the  
> cows to
> come home?

You're welcome to track the progress of XRD in the OASIS svn  
repository[0].  There is only a docbook version there, we don't have  
the HTML versions in subversion... unfortunately the OASIS document  
repository requires authentication.

[0]: http://tools.oasis-open.org/version-control/svn/xri/xrd/1.0/trunk/

While this is not really the best place to talk about XRD specifics,  
I'll address your point about signatures to say that XRD is in fact  
using XML DSig for signing.  More accurately, we're using a  
constrained profile of DSig using Exclusive Canonicalization that  
should be much easier to implement than full inclusive c14n.  This is  
the same approach taken in SAML 2.0.

One of my personal qualms with Google's recommended discovery  
extension is that it significantly differs from XRD in this (they are  
using their own signing method instead of traditional DSig) and other  
ways , while being strikingly similar in others.  I believe this will  
lead to unnecessary confusion.  To be clear, my opposition to a  
foundation endorsement of this is not based on the merits of the  
proposed protocol (aside from some specific language I've already  
pointed out)... the XRI TC is the correct place to debate that.   
Rather, my opposition is based on my belief that widespread adoption  
of the proposed protocol will confuse, and possibly fragment, the  
community if XRD does end up being the solution for OpenID discovery  
in the not-too-distant future.

On Jul 9, 2009, at 5:10 PM, Eric Sachs wrote:

> We haven't formally announced it yet :-)  We keep delaying  
> internally, but
> at some point we'll have to launch it and I would be surprised if we  
> can
> hold off for longer then a few weeks given how many months we have  
> already
> delayed.  But when the drafts get finalized, we're hoping to support  
> it
> within a small number of days and remove documentation for the
> proof-of-concept approach.  The partners we have already worked with  
> have
> read the warnings in our documentation that we will be switching the
> discovery mechanism once the standards gets solidified, so they are  
> prepared
> to have to make that change on their side.

This sounds great, it's good to know that you plan on migrating to XRD  
in a timely fashion when it is ready.  I don't mean to discount the  
contributions Google has made to the community both in helping to  
develop and implement these standards.  And if you need to go forward  
with a temporary solution in the meantime in order to satisfy existing  
customers, that's perfectly fine.  I understand that Google is free to  
move forward with whatever is necessary for your business, I'm not  
suggesting otherwise.  But if the work is being done with specific  
partners, I'm not sure why that necessitates a public announcement  
including endorsement from the foundation.  Is it not sufficient to  
point implementors to the Google document on an individual basis,  
which is what I would assume you've been doing thus far?  You're  
absolutely right that a public announcement would likely lead at least  
some in the community and the press to interpret this move as Google  
trying to co-opt OpenID.  But I'm not sure that the foundation  
publicly supporting the move is the right solution to that problem.

I think my particular horse is pretty well dead enough already, so  
I'll shut up for now.  I've said my piece... it is of course the  
board's decision to make.


More information about the board mailing list