[OpenID] OpenID Identity Discovery with XRI and XRDS

Peter Williams pwilliams at rapattoni.com
Tue Nov 11 02:21:09 UTC 2008 

I just reread Drummond et al's infamous (really, well-written) paper on the design motivations of openid auth 2.0, particularly as those motivations refer to discovery. It's well worth rereading, occasionally.




 OpenID Identity Discovery with XRI and XRDS





Drummond Reed

Cordance Corp. 3020 Issaquah-Pinelake RDF #74 Sammamish WA 98075 +1.206.618.8530

drummond.reed at cordance.net

Les Chasen

Neustar, Inc. 46000 Center Oak Plaza Sterling VA 20166 +1.571.434.5474

les.chasen at neustar.biz

William Tan

Neustar, Inc. 46000 Center Oak Plaza Sterling VA 20166 +1.571.434.5400
william.tan at neustar.biz<mailto:william.tan at neustar.biz>

On the matter of directed id, it mentions only (almost as an afterthought) the constraint that an OP MAY impose on the directed identities about which it makes assertions: that when -- and if -- an OP assigns i-numbers in ITS OWN DELEGATION  space, than the persistence and security properties of XRIs hold for the directed id flow. {PW paraphrase, hopefully accurate]. As far I my limited ability allow, I think that the properties hold even if the OP masks the values to create a pairwise identity value.

This is all interesting for two reasons;

The first is  for what it seems to say implicitly : that, during directed identity,  an OP MAY assert an i-number that (a) it has not assigned, or (b) it has assigned from a namespace other than the delegation space of the particular OP Identifier cited in the request.

The second concerns OAUTH and OpenID - since they are befriending each other again. There its interesting to note comments about the anticipated role of localid: "new trust models based on existing XRDS elements such as <xrd:ProviderID> and <xrd:LocalID>". That is: localid as the "vehicle" for representing the long lost OpenID trust model.  (I have long considered that an ideal localid would be an encoded X.509 cert,  one of whose subject names would be the HXRI or the classical openid URL-like identifier.)

From: general-bounces at openid.net [mailto:general-bounces at openid.net] On Behalf Of Peter Williams
Sent: Monday, November 10, 2008 7:28 AM
Cc: OpenID List
Subject: [LIKELY_SPAM]Re: [OpenID] [LIKELY_SPAM]Re: [LIKELY_SPAM]Re: Problems with delegation and directed identity OPs

More on this topic:

Though in our experiments where an OpenID2 OP fronted a SAML2  sp-initiator entity requiring the IDP to use a persistent format (which passes a SAMl2"masked identity cliam" through to the OpenID RP),I still considered the solution consistent with the definition:


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081110/8a030305/attachment-0002.htm>

More information about the general mailing list