Are the Discovery Components Done Enough? (Fwd: [security] OpenID Security Best Practices Doc)
David Fuelling
sappenin at gmail.com
Tue Jun 9 21:06:19 UTC 2009
On Tue, Jun 9, 2009 at 7:00 PM, Santosh Rajan <santrajan at gmail.com> wrote:
>
> We need to remember that XRD only addreses discovery for URL identifiers.
This is not really true. The XRD document schema only demands that an
identifier be a URI, both for the XRD document's "subject" (i.e., the
canonical-id) and the XRD document's "alias" (i.e., other synonymn
Identifiers).
"david at google.com" is really the following URI: "mailto:david at google.com",
and would work just fine in XRD.
> XRD
> does not address email like identifiers. XRD actually has two properties.
> 1) generic format for resource descriptor documents (XRD documents)
> 2) protocol for obtaining XRD documents from HTTP(S) URIs.
> For email identifiers we are using only property (1) which is by and large
> defined, except for the signature part.
>
Actually, XRD relies on a "well known location" to begin the Discovery
process. That is the subject of a different spec called "Host Meta" (
http://tools.ietf.org/html/draft-nottingham-site-meta-01). FYI, Eran has a
great blog post on all of this here:
http://www.hueniverse.com/hueniverse/2009/03/the-discovery-protocol-stack.html
All that to say: as long as OpenID defines how to locate the "host-meta"
file for a particular Identifier (like an email address), then that
Identifier can work just fine with XRD, and we can then use that identifier
(e.g., an email address) in the OpenID flow (some other parts of the spec
would need to be adjusted for this to actually work, but you get the idea).
We (the OpenID community) just need to define how this is going to happen
(thus, the 2.1 Discovery WG).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090609/ec2ac64f/attachment.htm>
More information about the specs
mailing list