[OpenID] OpenID SREG best practice question

[SitG Admin]

>One thing I experimented  with, to keep the UCI (sp-centric) faith, 
>was put the URL of the users own AX endpoint in one of the sreg 
>fields

I'm still playing catch-up with the list (finally, some free time!), 
and refamiliarizing myself with the terminology, so I forgot for a 
moment what AX meant and thought you were referring to the XRDS file 
URL.

Then it occurred to me that this wouldn't be a bad idea.

Specify your URI *and* OP in an XRDS file that can be hosted 
anywhere, and you might be able to sidestep the lack of HTTPS at your 
URI's site. (This is essentially Directed Identity from arbitrary 
hosts, directing RP's to look at the specified URI for headers 
indicating the specified OP and then, if and only if both it found a 
match, proceeding as if the URI host used HTTPS.)

The next question being, how do we trust XRDS files with uncached 
contents at arbitrary locations (most likely entered by an attacker 
when they've set up an insecure URI "host" to spoof someone's 
OpenID), and for that I'm thinking XRI might have an answer somewhere 
- I'm just not quite sure *how*.

-Shade