[OpenID] is openid 2.0 a lightweight identity system?
Steve Churchill
steven.churchill at ootao.com
Fri Feb 9 19:14:51 UTC 2007
Martin Atkins wrote:
> Dmitry Shechtman wrote:
> > I don't know if this has been already suggested/implemented, but can't
> > an
> > XRI identifier simply resolve to http://xri.net/identifier?
> >
An XRI proxy resolver is a web-based implementation of an XRI Resolver. The
<<identifier>> in http://xri.net/<<identifier>> is a parameter to the
abstract Resolver functional interface. One can pass additional resolver
parameters such as in:
<http://xri.net/=steven.churchill?_xrd_r=application/xrd%2Bxml;sep=false>
which results in a return of an XRDS.
The fact that http://xri.net/=steven.churchill performs a redirect to my
contact page is due to a combination of (1) default rules applying during
XRI Resolver service selection (resulting in the selection of my contact
service) and (2) that the Proxy resolver has a special mode (beyond standard
XRI resolution) in that it can perform a redirect to the final URI chosen
during service selection.
In summary, the http://xri.net/<<identifier>> is a way to perform XRI
resolution on <<identifier>> including service selection, and then
optionally redirect to the selected URI.
> Apparently (according to an XRI proponent who I can't remember) using
> that proxy resolver alone is not sufficient because it doesn't do
> CanonicalID verification.
An RP client library should be concerned about performing CanonicalID
verification. Unfortunately, it currently needs to this "by hand". It should
perform XRI resolution with sep="true" for the OpenID service and then
re-resolve the CanonicalID in order to verify it. See
<http://dev.inames.net/wiki/XRI_CanonicalID_Verification> for more
information.
> I'd much prefer it if the proxy resolver could do *all* of the work, so
> that the OpenID implementation can be as simple as what you say above.
There will be an additional argument cid="true" that will have the resolver
(including Proxy resolver) perform the CID Verification so that the RP
client will not need to. This is coming soon.
~ Steve
More information about the general
mailing list