[OpenID] Scheme in OP-Local ID

Jack jack at jackpot.uk.net
Thu Sep 6 21:56:05 UTC 2007 

Johnny Bufu wrote (quoting Peter):
> 
>> We cannot make the assumption that XRDS metadata for normalized 
>> user input URL will be identical with the XRDS metadata for the 
>> claimed_id in the check_id response
> 
> That's the equivalent of saying "we cannot make the assumption that 
> verification of discovered information will succeed all the time, 
> even when the XRDS discovery data is wrong or the OP issues bad 
> assertions".

So we have potentially _three_ identifiers, and necessarily at least two
identifiers, being handled in each authentication transaction: the
claimed_id, and the user-supplied id, and possibly a distinct local_id.
Any two of these might be byte-for-byte identical, but they are
different things - because the claimed_id is validated, and neither of
the others is (and sadly, the one the user relies on is one of the two
that aren't validated - the user-supplied id.)

Obviously there are critical things that I haven't properly grasped
about the Draft 12 spec, although I'm getting closer, gradually. Peter
seems to be most jolly about these things, but I suspect he's not
engaged in trying to code it (I could be wrong).

I'd like to re-iterate my earlier remark, which was to the effect that
cute names is not what users need; they need to be able to understand
why mechanism X confers Y security properties, at least at a synoptic
level. From that perspective, it's not helpful that the name the user
trusts isn't the name that gets validated, and the name that the OP
prefers to use isn't necessarily either of those names.

("name", as a cute word for a name? Never mind.)

I've read posts suggesting that we can make the spec less complex by
delegating chunks of it to other specs. Exqueese me? You can't make
OpenID simpler by delegating a "simple" phrase in the spec to the Yadis
summary. The Yadis summary is nice, but you can't write code to parse an
XRDS document without understanding the semantics of XRDS, XRD _and_
Yadis. And the documentation on XRD and XRDS is not lightweight, despite
the fact that they are each rudimentary notations - because the
reasoning behind XRDS and XRD is all about XRI. You have to understand
that, too.

If you want to make a "simple" spec that is based on a bunch of complex
ideas that have been expounded elsewhere, then the way to do that is to
_incorporate_ the essential parts of those complex specs, rendering
those essential parts in terms as close to plain language as is
possible. But relying on OASIS for the clarity of your specs is a doomed
venture (and just to rub salt in, OASIS do everything in PDF, like
professors and patent-lawyers do).

I hope you don't mind me speaking in these rather blunt terms. I think
I've avoided cursing :-)
-- 
Jack.

More information about the general mailing list