[OpenID] sharing XRI between SAML and OpenID; extending the XRD schema

[Peter Williams]

Looking for what SAML2 and OpenID2 each do best, and where they act in common with regard to security handling rules for their respective "Authentication Request protocols", I noted the following in [1]
"Note that if the <AuthnRequest> is not authenticated and/or integrity protected, the information in it MUST NOT be trusted except as advisory. Whether the request is signed or not, the identity provider MUST ensure that any <AssertionConsumerServiceURL> or <AssertionConsumerServiceIndex> elements in the request are verified as belonging to the service provider to whom the response will be sent. Failure to do so can result in a man-in-the-middle attack."
First, saml and OpenID are similar in that both characterize the fundamental controls in their handshake design in terms of "requests" (not responses).
Second, in the SAML case, metadata may be signed or not signed; and, requests be signed or not signed, similarly. As we see above, "verification" is obligatatory for the unsigned-request/unsigned-metadata cases. If I replace the term verification with the term "OP/RP discovery", we have a situation much like in OpenID2, mapping identifiers/realms into endpoints.
I'm wondering which infrastructure to use to distribute my SAML metadata (and possibly a Realtor's public FOAF data). One option is to put it in our application repository (RETS - an RDF like SPARQL server, that has a GETmetadata URI-bound transaction and that permits "community-extensions" to the (RETS) metadata schema). Another option is to put it in the XRDS/XRD, so XRI resolution can be shared when securing flows between SAML2 endpoints and also between OpenID endpoints. (I could even extend the RETS transaction model privately, to deliver XRDS documents!) Now, if I go with XRI as the data model, would I define an extension for the XRD schema, importing the SAML2 metadata schema say? If I do that, can this legitimately be done by private entities in the management model, or is this right reserved for an OASIS process?
The elements in the XRD schema are intended for generic resource description, including the metadata necessary for XRI resolution. [2]
An XRDS document is intended to serve exclusively as an XML container document for XML schemas from other XML namespaces. Therefore it has only a single root element xrds:XRDS in its own XML namespace identified by the XRI xri://$xrds. [2]
It also has a single attribute, xrds:XRDS/@xrds:ref of type anyURI that identifies the resource described by the XRDS document. The formal XML schema definition of an XRDS document is provided in Appendix A. [2]
[1] http://www.oasis-open.org/committees/download.php/22389/sstc-saml-profiles-errata-2.0-wd-05-diff.pdf
[2] http://www.oasis-open.org/committees/download.php/17293
_________________________
Peter Williams
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080426/2305c026/attachment-0002.htm>