[OpenID] Calling OpenID 2.0editors(wasRE:ProblemswithOpenIDand TAG httpRange-14)

Peter Williams pwilliams at rapattoni.com
Sat Mar 22 06:43:50 UTC 2008 

Noah

Ive managed to finally use all my (deliberately consumer-grade) infrastructure to actually hopefully construct the scenario under discussion. Ive also got an implemnetation issue which requires the type of analysis underway in this thread.

I've configured various mapping onto http and (xri.net mapped) xri-based URIs, for what I understand to be the intended cases -  and typical use cases - of OpenID discovery. (So far, I've not touched XRDS or HTML metadata based delegation.)


Unsed by anything
lockxri.homepw.org has a TXT record with value @freeid*lockbox

Namespace redirects
freelock.homepw.org get a DNS HTTP Redirect to http://xri.net/@freeid*lockbox
lockbox.homepw.org gets a DNS HTTP Redirect to http://rapattoni.trustbearer.com/lockbox
CNAME delegations
op.homepw.org is delegated to myopenid.com
homepw.op.homepw.org is mapped explicitely to homepw.myopenid.com

Typing "lockbox.homepw.org" into http://rapattoni.trustbearer.com/consumer pings 1 of the several OPs that said consumer webapp de/multiplexes, based currently on the namespace+domainname of the Redirect URI.

Most able user can easily type "lockbox.X" per the UI model of OpenID-  which DNS + OpenID rules for normalization maps to http://Y/lockbox/. Im assuming DNS is partially trusted to map X bascially to Y using a DNS-based HTTP redirect, of which there are several X<->Y mappings in my demultiplexing scheme.

In my abnormal OP implementation, http://Y is the SAMLentityName that I use as the back end locator(s) addressing particular SAML server(s) and the SAML entityIDs associated with each OP-Identifer  -- where each entity implements particular security controls associated with each of my several OPs.  (Im thinking of creating the convention that http://xri.net/@freeid would be an example of the form of the SAML entityName, when an organizational HXRI is recognised). 

Lets note that its not the OP webapp that is engaging in redirects. Its DNS, configured by parties other than the OP admin.

Now, if I follow your argument (and my HTTP spec skills *are* limited), if the redirect from DNS was subsequently further redirected into a 303 See Other, then since freelock.homepw.org is initially mapped onto http://xri.net/@freeid*lockbox which could ten be 303 mapped to http://xri.net/@blog*lockbox, my demultiplexor should use an entity name of http://xri.net/@freeid*lockbox when being conforming with HTTP semantics. If I undersatnd John right, the OpenID identity in my auth request should be http://xri.net/@blog*lockbox 

Now, unike claimed ID fields, my use of DNS/Redirects to map openid constructs to saml entity names is not controlled by the OpenID standard. I choose what happens. I can choose HTTP compliance, being a local implementation matter.

Have I got the right mental model for handling the 303 in my private discovery process, if I choose conforming/compliant behaviour?

peter.






From: Noah Slater
Sent: Mon 3/17/2008 10:41 AM
To: Drummond Reed
Cc: general at openid.net
Subject: Re: [OpenID] Calling OpenID 2.0editors(wasRE:ProblemswithOpenIDand TAG httpRange-14)


On Fri, Mar 14, 2008 at 05:17:47PM -0700, Drummond Reed wrote:
> Again, you can no more require relationships between identifiers at the
> abstract OpenID level to follow the relationships of identifiers at the HTTP
> layer than you can require relationships between identifiers at the HTTP
> level to follow the relationships of identifiers at the TCP/IP layer.

This is misleading for several reasons.

OpenID, as I understand it, violates HTTP semantics.

HTTP does not violate any of the TCP/IP semantics.

Where OpenID uses URIs it should obey the semantics all the way down.

Calling the URI concrete at one level and abstract at another level is a nice
way to explain the conceptual difference you perceive but it is not a magic
ticket that makes violation of HTTP any more appetising.

--
Noah Slater <http://bytesexual.org/>
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080321/4c2de37b/attachment-0002.htm>

More information about the general mailing list