[OpenID] Calling OpenID 2.0 editors (wasRE:ProblemswithOpenIDand TAG httpRange-14)

Wed Mar 12 18:47:41 UTC 2008

Peter, it's a good point that OpenID explicitly deals with identifiers. To
be even more precise, OpenID explicitly deals with _abstract identifiers_ --
identifiers do not reference a resource directly, but only indirectly via
reference to a description of that resource. (URNs are a classic example of
abstract identifiers - http://en.wikipedia.org/wiki/Uniform_Resource_Name). 

Even though it's a URL, an OpenID URL is an abstract identifier because it
always resolves to another identifier (the OP URL). It can do that
resolution through an HTTP header, and HTML tag, or an XRDS document.

In the case of an OpenID XRI, it is by definition an abstract structured
identifier and resolves to a concrete identifier (or other metadata
describing the identified resource) via an XRDS document.

It's worth highlighting this because synonym management for abstract
identifiers takes place at a higher level than HTTP. For example, the XRI
Resolution 2.0 spec
(http://docs.oasis-open.org/xri/2.0/specs/xri-resolution-V2.0.html) defines
four types of XRI synonyms that can be asserted in an XRDS document,
together with the synonym verification rules to prevent spoofing. OpenID
Authentication 2.0 takes advantage of this by specifying that if the user's
OpenID is an XRI, RPs MUST use the XRDS CanonicalID synonym (after
verification) as the user's Claimed Identifier. (The main reason for this -
preventing OpenID recycling -- is explained in detail in an ACM paper given
last week at the IDtrust Symposium -
http://middleware.internet2.edu/idtrust/2008/papers/01-reed-openid-xri-xrds.
pdf). 

Although HTTP(S) is used for XRI resolution, the semantics of HTTP redirects
plays no part at all in determining or verifying XRI synonyms because these
synonym relationships are at the abstract identifier level and not the
concrete identifier level.

I think the same applies to OpenID URLs -- because they are abstract
identifiers, the synonym relationships are specified by the OpenID
Authentication spec and not by HTTP redirect semantics.

=Drummond 

> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Peter Williams
> Sent: Wednesday, March 12, 2008 7:43 AM
> To: Brendan Taylor; general at openid.net
> Subject: Re: [OpenID] Calling OpenID 2.0 editors
> (wasRE:ProblemswithOpenIDand TAG httpRange-14)
> 
> 
> 
> 
> 
> OpenID, on the other hand, deals in identifiers. The documents involved
> are just a convenient way of figuring out what identifiers to use.
> 
> 
> 
> 
> Which is along the lines of what I said: we are not using http to collect
> web resources.
> 
> Openid does deal with identifiers, but they are not uris/urls in the
> formal sense of the uri rfc. Openid uses the syntax, but not the semantics
> - as to use the semantics would contradict the assumption above (uris
> identify web resources, including uri references that are resources in the
> semweb sense, in and of themselves)
> 
> We know the compliance argument has been dealt with : other upper layers
> have already done what openid discovery protocol does: ignore the link
> management semantics of http redirects.
> 
> This leaves the clickthru and the remembering issue - which is valid and
> pertinent. We could handle it openid.next by improving unsolicited auth,
> or standardizing openid discovery's use of redirects signals for openid
> purposes (only) when xris are not involved.
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general