[OpenID] Calling OpenID 2.0 editors (was RE: Problems with OpenID and TAG httpRange-14)

Peter Williams pwilliams at rapattoni.com
Wed Mar 5 16:07:55 UTC 2008 

I like this topic, if only because I think I finally have enough of a handle of semweb theory to understand it. I also have enough mental model about the security controls in an openid infrastructure (woefully under analyzed academically, particularly in the name/address discovery area) to see the design intent.

On the one hand we are dealing with the core nature of openid discovery and openid auth - the reliance buy these subprotocols on a resource discovery protocol (HTTP) that was never intended to play the role that openid puts it in. "The Web is a specific political experiment in social engineering, dont mess with our manifesto, OpenIDers!".

On the other hand, openid is imposing identity semantics on the internet/web - and need not be limited to the semantics of bearer protocols. "Its just a bit pipe, stupid."

As OpenID is not really leveraging HTTP in its as-designed role: identify and locate web resources. Openid is certainly not leveraging the use of HTTPS in its as-designed role: obtain assurance for a secure pipe terminating at a certified security-endpoint known as "a website->DNS binding". Doing neigher of those things, what is it doing? An OpenID OP is really "making a statement about" resources (and one day may even fullfill its vision to make statements about assurance).

With little doubt, I the OP can choose to state that this or that redirect messages (treated as protocol states rather than references to resources) is an OpenID - a notion that need not be tied to URIs or to the smeantics of the HTTP service.

As someone said earlier in this thread, an OpenID happens to be a URL, but that does not mean its a URI - or has URI semantics.

In making statements about statements, perhaps OpenID is more semweb in nature than it realizes.




From: Noah Slater
Sent: Wed 3/5/2008 6:01 AM
To: Drummond Reed
Cc: david at sixapart.com; general at openid.net
Subject: Re: [OpenID] Calling OpenID 2.0 editors (was RE: Problems with OpenID and TAG httpRange-14)


On Tue, Mar 04, 2008 at 07:55:41PM -0800, Drummond Reed wrote:
> I'm not an OpenID editor but I remember that there was a great deal of
> discussion around this and there was a good reason (security as I recall)
> that the final redirect needed to be treated as the claimed identifier.

I would love to hear this reasoning because it makes no sense to me at the moment.

> 3) From a SemWeb standpoint, I believe the right answer is that ALL the
> identifiers in the chain - the original identifier, all redirects, and any
> "override" back from the OP - should all be considered synonyms for the
> identified resource. In other words, rdf:sameAs statements.

This is incorrect. 303 redirects do not imply rdf:sameAs.

--
Noah Slater <http://bytesexual.org/>
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080305/8c2b65a7/attachment-0002.htm>

More information about the general mailing list