[OpenID] Fwd: Proposal: DNS based mapping/discovery for user at REALM identifiers
mart at degeneration.co.uk
Sat Mar 31 08:58:13 UTC 2007
Simon Spero wrote:
> Whenever I talk to people on campus about openid, I always seem to hear
> objections, mostly on aesthetic grounds, to the use of URLs as end-user
> visible identifiers. As Patrick McGoohan said, "I am not a web page, I
> am a free man"...
I'm not an email account either!
This is why RPs that are presenting user identifiers to the world should
primarily use my chosen "display name" but make the URL available for
disambiguation and cross-site referencing.
> DNS-SD Discovery
> DNS Service Discovery (DNS-SD) defines a set of mechanisms for locating
> services using the DNS. These mechanisms are the underpinnings of
> Apple's Bonjour.
> Services are represented in DNS-SD as pairs of SRV and TXT records.
> The SRV record providers hostname and port information. The TXT
> record carries any other service parameters in a key=value format.
> One approach to using DNS-SD for OpenID discovery is to define service
> parameters to carry identifier and provider format strings - for
> example, %u might stand for the user name, and %r might stand for the
> $ORIGIN _tcp.bonjour.unc.edu.
> _openid PTR eritrea._openid
> $ORIGIN _openid._tcp.bonjour.unc.edu.
> eritrea TXT "provider=https://eritrea.oit.unc.edu/openid1/%u
> <https://eritrea.oit.unc.edu/openid1/%25u>" \
> "identity= https://eritrea.oit.unc.edu/user/%u"
> SRV 0 0 443 eritrea.oit.unc.edu <http://eritrea.oit.unc.edu>.
> would map ses at bonjour.unc.edu <mailto:ses at bonjour.unc.edu> to provider
> url https://eritrea.oit.unc.edu/openid1/ses
> <https://eritrea.oit.unc.edu/openid1/ses> , and identity url
> https://eritrea.oit.unc.edu/user/ses .
> This approach allows much more flexibility in urls, but is best suited
> to cases where every user in a realm is authenticated by the same
> provider. This may be appropriate, but is more restrictive than behavior.
If you make a minor modification, you can make it more flexible:
When you see ses at bonjour.unc.edu, look for
ses._openid._tcp.bonjour.unc.edu (note that the username has now been
added in there).
If you allow there to be a wildcard CNAME under _openid and retain your
%u and %r placeholders (though given that % already has a special
meaning in URLs, a different marker might be better) then it remains
possible to do the case where everyone's handled by the same provider.
More information about the general