Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)

David Fuelling sappenin at gmail.com
Tue Jun 9 20:53:08 UTC 2009 

David,

Great questions -- see my thoughts/opinions inline...

david

On Tue, Jun 9, 2009 at 6:36 PM, David Recordon <david at sixapart.com> wrote:

> Hey David,I've been following some of the discovery work the past few
> months, but don't have a clear picture if the various components are
> actually solid enough to begin working with.
>

This is a valid concern.  From what I can gather from the XRD discussions,
it seems like the last remaining "issue" with XRD is the signature format to
adopt.  Other than that it seems like XRD is very close (XRI TC particpants
correct me if I'm wrong -- I don't speak for the TC as I've mainly been
lurking there).

Granted, it will take time to get community feedback on XRD, and move
through the OASIS standards mechanisms, but it seems like there's enough
meat there to begin drafting a document that would outline how the OpenID
community should utilize XRD (I think that's the expected deliverable from
the Discovery 2.1 WG, anyway).

To me, it seems like the 2.1 Discovery WG _could_ be happening in parallel.
After all, the 2.1 Discovery WG is only producing a "recommendations" doc.
The official 2.1 WG could choose to ignore that doc.


>  I know XRD is moving forward, but what's the state of site-meta (
> http://tools.ietf.org/html/draft-nottingham-site-meta-01)<http://tools.ietf.org/html/draft-nottingham-site-meta-01%29>or now WebFinger (
> http://code.google.com/p/webfinger/)?<http://code.google.com/p/webfinger/%29?> Is there something in WebFinger which wouldn't solve OpenID discovery
> entirely?
>

I'll defer to Eran on the state of site-meta.  I have been participating in
some preliminary (and brief) discussions on the webfinger list (see here:
http://groups.google.com/group/webfinger/browse_thread/thread/7936700f02b0049b).

I tend to agree with Eran about not needing to normatively specify
webfinger.  XRD really takes care of the entire discovery process for email
addresses (we just need the intro part that says "where to look" when
presented with an email-like identifier).  Essentially, webfinger would be a
2 sentence spec:

1.) Look for an "@", split the identifier around the "@", and use the
"domain" portion of the email to get the host-meta file.
2.) Use XRD to perform discovery on the identifier.

I wouldn't be opposed to making a normative spec out of webfinger, but in my
experience with EAUT and the discussions around email as an OpenID, there
were some fundamental disagreements about authorities for email addresses.
There's a significant camp of people that believe this information should be
included in DNS.  There's also a significant group of people who believe it
could be located an XRD file (or, "on the web").  And some (like me) who
believe it could be located in both places, with one taking precendence over
the other, plus clear rules of how to behave if one authority is missing.

All that to say, I think the OpenID community should take the _principles_
of webfinger, and create its own spec to deal with email addresses.  The
notion of getting a normative webfinger spec that satisfies every use case
on the Internet (i.e., a generic webfinger spec) seems a bit unlikely to me
(I could be wrong).

All that to say, I think we in OpenID land should specify how _we_ treat
email-like identifiers in our own normative spec, using the principles of
webfinger.

(whew -- sorry for being so long winded).

;)



> These questions and the lack of adoption of XRD, site-meta or completion of
> WebFinger have all contributed to my belief that we're still just not ready
> to redefine how OpenID's discovery process should work.
>

My opinion is that we know enough to get the ball rolling.  There are a lot
of other outstanding issues relating to discovery than just XRD.  It's a
valid point, though, and I would be open to the counter-arguement that says,
"we should wait till XRD, LRDD, etc are finalized before we consider them".
I guess I'm more of the opinion that the 2.1 Discovery WG is going to
produce a "guidance document" about 2.1 Discovery, and it seems like we know
enough about XRD and its associated protocols to begin discussing and
drafting that document.

I guess an additional, if not bigger, question is:  do we need a 2.1
Discovery WG to produce a "best practices" doc?



>
> Thoughts?
>
> Thanks,
> --David
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090609/cd7ab0db/attachment.htm>

More information about the specs mailing list