experimental namespace for openid.net

Santosh Rajan santrajan at gmail.com
Fri Jul 10 04:03:22 UTC 2009


Why dont you implement proof of concept for XRD instead? We can then
formalize it. Why should we wait for XRI TC? After 11 years XRI TC cant even
sign an XML document reliably.


Dirk Balfanz wrote:
> 
> Hi guys,
> Google would like to launch a feature in which we're allowing our Google
> Apps hosted domains to become OpenID providers. The authentication part of
> it is pretty simple - Google is already logging in users to their apps, so
> we can also host an OP endpoint for those domains and send assertions back
> to Relying Parties. What is more difficult is the discovery part. We have
> been working with the XRI TC to define a XRD-based discovery protocol that
> would allow this kind of hosting of discovery documents on behalf of our
> customers.
> 
> We believe that providing proof-of-concept implementations drives
> standardization processes forward, so in this spirit we want to launch
> this
> feature in the near future, using a discovery protocol that as far as we
> can
> tell meets all the requirements of what the XRI TC is currently converging
> on, but which has not been vetted as an official standard (it's a chicken
> and egg thing - without PoC no standards, without standards by definition
> no
> standards-compliant implementations).
> 
> While we were tossing around ideas
> <http://markmail.org/message/ixc5led2lobdwij2>in
> the standardization committees we just used random identifiers for new XML
> namespaces, etc. that we would need for this discovery protocol. Now that
> we're about to launch we need to decide what to call these things. We
> would
> like to use a namespace in http://specs.openid.net/... because we want
> this
> kind of discovery protocol to be part of OpenID, but we can't really use
> them because we don't have a next-generation discovery protocol yet.
> 
> So what should we use? How about http://experimental.openid.net/... ? That
> way, Relying Parties know that what we're trying to do is be a part of the
> OpenID community and bring the protocol forward. On the other hand, this
> would also be a signal to the RP that they're using a feature that has not
> been vetted as a standard yet.
> 
> For example, a discovery document for a domain balfanz.net at Google might
> look like this (notice the "experimental" namespace and the XML elements
> using it):
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
>   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>   <ds:SignedInfo>
>   <ds:CanonicalizationMethod Algorithm="
> http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets" />
>   <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1
> " />
>   </ds:SignedInfo>
>   <ds:KeyInfo>
>   <ds:X509Data>
>   <ds:X509Certificate>
>   MIICgjCCA...
>   </ds:X509Certificate>
>   <ds:X509Certificate>
>   MIICsDCCAhmgAwIB...
>   </ds:X509Certificate>
>   </ds:X509Data>
>   </ds:KeyInfo>
>   </ds:Signature>
>   <XRD>
>   <CanonicalID>balfanz.net</CanonicalID>
>   <Service priority="0">
>   <Type>http://specs.openid.net/auth/2.0/server</Type>
>   <Type>http://openid.net/srv/ax/1.0</Type>
>   <Type>http://specs.openid.net/extensions/pape/1.0</Type>
>   <URI>https://www.google.com/a/balfanz.net/o8/ud?be=o8</URI>
>   </Service>
>   <Service priority="0" xmlns:experimental="
> http://experimental.openid.net/google/2009/07/xmlns/">
>   <Type>http://www.iana.org/assignments/relation/describedby</Type>
>   <MediaType>application/xrds+xml</MediaType>
>   <experimental:URITemplate>
> https://www.google.com/accounts/o8/user-xrds?uri={%uri}
> </experimental:URITemplate>
>   <experimental:NextAuthority>hosted-id.google.com
> </experimental:NextAuthority>
>   </Service>
>   </XRD>
> </xrds:XRDS>
> 
> What do you guys think?
> 
> Dirk.
> 
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
> 
> 


-----

Santosh Rajan
http://santrajan.blogspot.com http://santrajan.blogspot.com 
-- 
View this message in context: http://www.nabble.com/experimental-namespace-for-openid.net-tp24419697p24421491.html
Sent from the OpenID - Specs mailing list archive at Nabble.com.




More information about the specs mailing list