[OpenID] RP Discovery

[Jack]

Peter Williams wrote:

[snipping brutally]
> 
> ON Jack's point, it perhaps not as many XRDS document as it might
> imply. It's one per return_to; not one per token-using party behind
> that secure endpoint
> 
> (c) Let's assume that NONE of the RP websites in some single realm
> HOST THEIR OWN OPENID ENDPOINT. Rather, they "offload" a common 
> token-accepting endpoint (per realm) to a central server, acting for
> all the resources in the realm.

One may *have* to assume that; because I can't see how you could host an
arbitrary number of protected resources, without either providing
dynamically-generated XRDS, or alternatively having a "smart" endpoint
URL that already knows where the user wants to go. But the latter would
involve maintaining even more state at the RP, which I'm pretty sure
isn't what's intended (it's supposed to be straightforward to overlay
OpenID on an existing website).
> 
> We have to remember this is an identity2.0 spec, and think like the 
> designers. It's supposed to be paradigm-shifting!

Evidently I am finding that kind of thinking something of a challenge.
> 
> (d) offloading security endpoints to a central server is something
> that of course we saw happen in the shift from SAML1 to SAML2. Rather
> than a website add the SAML1 handlers of sourceid.org, the website
> cooperate with a SAML2 server (via _some_ or other  "offloading"
> mechanism)  The shift from OpenID1 to OpenID2 parallels that, in ways
> I had not realized. I get it, now you point it out.

Well, I don't think that is what's intended. I hope it isn't...

> 
> Ok. I like this all the more.
> 
> Now I can see what Microsoft is upto. And, that explains the patent 
> negotiations within the silicon valley club.
> 
> There had to be something driving THAT DEGREE of manipulation of the
> IP.

These remarks are completely opaque to me.

-- 
Jack.