[OpenID] Confirming XRD CanonicalIDs
Drummond Reed
drummond.reed at cordance.net
Fri Apr 25 02:05:56 UTC 2008
Dan,
To answer your first question, first note that "CanonicalID verification"
(the official term for confirming that the provider of the XRD that contains
the <CanonicalID> element is authoritative for that Canonical ID) only
applies to XRIs, where the user's input i-name is always mapped to a
CanonicalID.
The basic idea of CanonicalID verification is simple: do a check at each
point in the XRI resolution path to make sure the CanonicalID of the next
XRDS document is a child of the CanonicalID element of the previous XRDS
document.
So for example if you are resolving =drummond*daughter, you first resolve
the first subsegment (=drummond) and make sure the CanonicalID returned in
the corresponding XRDS document is rooted in the XRI = registry.
Since the CanonicalID for =drummond is =!F83.62B1.44F.2813, that CanonicalID
verification test would pass.
You then resolve the second subsegment (*daughter) to get the next XRDS
document (this example is hypothetical, since I don't have a daughter). You
apply the same rule. Let's say the CanonicalID returned in that document was
=!F83.62B1.44F.2813!1234. Since that is rooted in =!F83.62B1.44F.2813,
CanonicalID verification would pass.
But if the CanonicalID returned was =!A1B2.C3D4.5687.1010!1234, CanonicalID
verification would fail.
(For the "heavyweight" documentation of this - 1/2 page - see section 14.3
of
http://docs.oasis-open.org/xri/xri-resolution/2.0/specs/cd03/xri-resolution-
V2.0-cd-03.html).
To answer your second question, doing CanonicalID verification automatically
is indeed a feature of the final XRI Resolution 2.0 spec and has just been
implemented in the OpenXRI code base (which is what XDI.org runs at
xri.net). This upgrade is currently in public testing on beta.xri.net
(please do try it out), and is scheduled to go into full production in early
May.
CanonicalID verification is the default, so xri.net will perform it for all
resolution requests unless you specifically ask for it to be turned off. If
CanonicalID verification fails at any point in the resolution chain, the
Status element of the first failing XRDS will be flagged <Status
cid="false"> and that flag will be set for all additional XRDS documents in
the resolution chain.
Hope this helps,
=Drummond
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Dan Ragle
> Sent: Thursday, April 24, 2008 12:06 PM
> To: general at openid.net
> Subject: [OpenID] Confirming XRD CanonicalIDs
>
> In the specs I read:
>
> "The Relying Party MUST confirm that the provider of the XRD
> that contains the <CanonicalID> element is authoritative for
> that Canonical ID and that this XRDS document is authoritative
> for the OpenID Service Element. Relying Parties should either
> do this manually or ensure that their resolver does this."
>
> If possible, could someone provide or point me to some lightweight
> documentation that elaborates on this, i.e., discusses how such a
> confirmation would be manually performed? And does the proxy resolver
> at xri.net in fact do this already?
>
> Thanks!
>
> Dan Ragle
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list