[OpenID] Fwd: Proposal: DNS based mapping/discovery for user at REALM identifiers

Martin Atkins mart at degeneration.co.uk
Sat Mar 31 08:58:13 UTC 2007

Simon Spero wrote:
> All,
> Whenever I talk to people on campus  about openid, I always seem to hear 
> objections, mostly on aesthetic grounds, to the use of URLs as end-user 
> visible identifiers.  As Patrick McGoohan said, "I am not a web page, I 
> am a free man"...

I'm not an email account either!

This is why RPs that are presenting user identifiers to the world should 
primarily use my chosen "display name" but make the URL available for 
disambiguation and cross-site referencing.

> DNS-SD Discovery
> DNS Service Discovery (DNS-SD) defines a set of mechanisms for locating 
> services using the DNS.  These mechanisms are the underpinnings of 
> Apple's Bonjour. 
> Services are  represented in DNS-SD as  pairs of SRV and TXT records.  
> The SRV  record  providers hostname and port information.  The TXT 
> record carries any other service parameters in a key=value format.
> One approach to using DNS-SD for OpenID discovery is to define service 
> parameters to carry identifier and provider format strings - for 
> example, %u might stand for the user name, and %r might stand for the 
> realm. 
> $ORIGIN _tcp.bonjour.unc.edu.
> _openid                 PTR     eritrea._openid
> $ORIGIN _openid._tcp.bonjour.unc.edu.
> eritrea  TXT     "provider=https://eritrea.oit.unc.edu/openid1/%u 
> <https://eritrea.oit.unc.edu/openid1/%25u>" \
>  "identity= https://eritrea.oit.unc.edu/user/%u"
>          SRV     0 0 443 eritrea.oit.unc.edu <http://eritrea.oit.unc.edu>.
> would map ses at bonjour.unc.edu <mailto:ses at bonjour.unc.edu> to provider 
> url https://eritrea.oit.unc.edu/openid1/ses 
> <https://eritrea.oit.unc.edu/openid1/ses> , and identity url 
> https://eritrea.oit.unc.edu/user/ses .
> This approach allows much more flexibility in urls, but is best suited 
> to cases where every user in a realm is authenticated by the same 
> provider.  This may be appropriate, but is more restrictive than  behavior.

If you make a minor modification, you can make it more flexible:

When you see ses at bonjour.unc.edu, look for 
ses._openid._tcp.bonjour.unc.edu (note that the username has now been 
added in there).

If you allow there to be a wildcard CNAME under _openid and retain your 
%u and %r placeholders (though given that % already has a special 
meaning in URLs, a different marker might be better) then it remains 
possible to do the case where everyone's handled by the same provider.

More information about the general mailing list