[OpenID] cryptographics web of trust

[Peter Williams]

The JanRain reference code clearly separates endpoint discovery, from
OpenID Auth. 

I shall now assume it is community-conforming for a OpenID consumer to
use ONLY local means to discover an OpenID server endpoint (and
therefore not ping the HTML or XRDS)

If no one objects to this assumption, it would be the basis for
reasonable community policy as follows:

1. OpenID Trademark license could insist that a vendor's Consumer code
SHALL perform HTML/XRDS processing as specified
2. Interworking trials SHALL verify... that these features work.
3. However, local configuration MAY entitle a particular OpenID run at
some Consumer to rely only on _local_ means of endpoint discovery

For example, on (3), if the URI can be verified to be a resolvable
foafname -- and reliable FOAF information sets can be obtained with
suitable schema --  the endpoint information from that FOAF file MAY
obviate any and all use of HTML and/or XRDS files.

This is a reasonable community posture, and would be required anyways in
even a medium assurance deployment theatre. The local endpoint shall NOT
signal to infrastructure parties reliance on security critical data
objects (such as discovery resources). 

In the equivalent PKI world, folks receiving SSL cert chains about http
client SHALL not signal to the CA or the Directory Service that they are
picking the associated CRL based on the URL discovery signals in the
inbound certs, for example. The RP MAY pull the CRL from a local
Directory cache, ignoring the URLs in the SSL client cert. The RP may
alternatively use an local means for checking revocation standing - an
OCSP server that has post-processed CRLs to create a co-mingled,
reputation service about client certs.