[OpenID] Calling OpenID 2.0 editors (was RE: Problems withOpenID and TAG httpRange-14)

Peter Williams pwilliams at rapattoni.com
Wed Mar 5 17:50:12 UTC 2008 

When a SAML redirect or artifact binding occurs in the ping-pong handshakes between a chain of 5 of those types of websso servers, do the 10 redirects each refer to resources?

Not in the static-resource publishing sense, anyways!

ok ok, a "resource" in semweb-land is a generic. Thus, even a temporary protocol state in a chaining/proxying server can be a "resource" subject to HTTP semantics or RDF description.

But are we really suggesting that a claimed identifier returned from OpenID discovery might really be such as: a redirect bearing an encoded SAMLRequest, along with it a digital signature (per the SAML REDIRECT binding onto bearers)?

Surely not. That use of HTTP 302's by SAML leverages the notion of "temporay artifact", where the artifact is really not designed to be interpreted as a resource.  While an artifact is infact a resource formally, its only so in the mind of the SAML protocol entities that have imposed this interpretation model.

Now, SAML as a spec has no known issue with either semweb or HTTP semantics, note. Perhaps, openid ought to use "artifact" notions and terminology too - to maintain semantic consistency with the rest of the ever-evolving web infrastructure.



From: Drummond Reed
Sent: Wed 3/5/2008 9:32 AM
To: 'Noah Slater'
Cc: david at sixapart.com; general at openid.net
Subject: Re: [OpenID] Calling OpenID 2.0 editors (was RE: Problems withOpenID and TAG httpRange-14)


> -----Original Message-----
> From: Noah Slater [mailto:nslater at bytesexual.org]
> Sent: Wednesday, March 05, 2008 6:01 AM
> To: Drummond Reed
> Cc: 'Eddy Nigg (StartCom Ltd.)'; 'John Panzer'; david at sixapart.com;
> general at openid.net
> Subject: Re: [OpenID] Calling OpenID 2.0 editors (was RE: Problems
> withOpenID and TAG httpRange-14)
> 
> On Tue, Mar 04, 2008 at 07:55:41PM -0800, Drummond Reed wrote:
> > I'm not an OpenID editor but I remember that there was a great deal of
> > discussion around this and there was a good reason (security as I
> recall)
> > that the final redirect needed to be treated as the claimed identifier.
> 
> I would love to hear this reasoning because it makes no sense to me at the
> moment.

Editors, hellooo-ooo-ooo?

 
> > 3) From a SemWeb standpoint, I believe the right answer is that ALL the
> > identifiers in the chain - the original identifier, all redirects, and
> any
> > "override" back from the OP - should all be considered synonyms for the
> > identified resource. In other words, rdf:sameAs statements.
> 
> This is incorrect. 303 redirects do not imply rdf:sameAs.

Noah, it would helpful to me to understand why this is so. Are they not all
identifiers of the same resource? Isn't that what a redirect means? Or are
you saying that the fact they are identifiers that resolve to a resource
does not make them RDF statements?

=Drummond 

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080305/4eae647b/attachment-0001.htm>

More information about the general mailing list