[OpenID] plaxo to myopenid, with signed XRD (not Google/Yahoo signed XRD conforming)

[Peter Williams]

ive been playing with free XRIs, some more - with the help of the kind folks at XDI.org.  We added XRD signing to one of the public servers - per the original spec for XRI resolution v2. There have been no multi-vendor interworking trials, so we don't really know what assumptions we built into the code that are inappropriate. But, trivially, its client works with its own server for signing and verifying XRDs, and handling chains of signed XRDs.



The namespaces supported by the freexri.com server now some pretty straightforward metadata signing, using xmldsig and enveloped signatures based on conventional canonicalization practices - vs Google's byte-centric canonicalization. Each XRD in the chain of naming handoffs is signed - when required. Normally, the verification key from any one node comes from the link/service element of the previous authority in the chain.



If you are not familar with trusted resolution model underlying XRD and XRI resolution... imagine a chain of certs, and now replace that idea with a chain of signed XRDs... Having collected the chain of assertions, you verify them as a chain... rather like one verifies an X.509 certificate chain.



I need some help from a RP to test more. Ive gone as far as I can with plaxo -> myopenid (via the freexri openid i-service doing openid-delegation). The test so far established that the changes we made had no impact on production interoperability, providing noone asks for the signed mode! In that test, the XRI @blog*sigtest*sigtestchild*sigtestchildchild typed into plaxo succesfully delegates to myopenid account. Between my XRD and plaxo, we have done something right, because myopenid is willing to speak for this delegation (unlikes some others Ive tried that run into myopenid's authority spoofing checks).



Now, if plaxo were to do



curl -H "Accept: application/xrds+xml;saml=true" http://resolve.freexri.com/ns/@blog/*sigtest*sigtestchild*sigtestchildchild



they would get go see under the hood what WOULD happen if the plaxo RP altered its XRI resolver/proxy to require the saml-signing variant of XRI resolution.



Now, none of this signing of XRD is very useful until the name resolver at suich as the plaxo RP (or the proxy used by plaxo RP) verifies the signatures and ENFORCES chaining policy.



Ive modified (at my usual incompetence level) the openidxri client library for java to verify the signature and enforce chaining.



Would anyone be willing to now take that library - a variant of the standard java library for xri resolution - and combine it with a test openid RP ? ...to now see how signed XRD handling might affect behavior, user experience, etc?