[OpenID] typepads interesting service for leaving comments

John Bradley john.bradley at wingaa.com
Wed Aug 26 18:24:51 UTC 2009 

You could make the default service return your XRDS.   I suspect that  
it would break the RP as it is not expecting a full XRDS.

As a side effect you would loose your contact service.

Part of the new XRD work involves harmonizing discovery and formats  
between URLs and XRI.

The trust models are still quite different that and having openID use  
the cannonicalID (Subject in XRD) rather than the URL after following  
redirects still remain challenges.

I think most of the good features of XRI discovery will be available  
to URLs with XRD.

John B.
On 26-Aug-09, at 1:52 PM, Peter Williams wrote:

> So let me guess whats going on.
>
> I thought I was trying to assert @blog*lockbox. But, I used the HXRI  
> form of that XRI, which is resolved by a proxy. The proxy works with  
> sensitive settings in the XRD to choose services.
>
> The proxy decides to collect the default SEP, which is the +contact  
> service (thus ignoring the openid +login service). The RP doing  
> discovery then follows that contact SEP's redirects, and lands on an  
> HTML page.
>
> AS it happens, that HTML page has meta-tag discovery data. It in  
> fact DOES do HTML-style delegation, back to the XRI server. Not that  
> I knew it, but I have several delegations going on, including one  
> between the contact URL and the XRI server authority!!
>
> Scream.  I Love the XRI stuff, but it is SO OVERLOADED with semantics.
>
> So, to fix, If I now were to make the +login service the default  
> SEP, rather than the +contact SEP, does this mean the XRI proxy  
> would retrieve and send the XRDS to the typepad rather than redirect  
> consumer discovery via 302's to the HTML-based metadata?
>
>
> -----Original Message-----
> From: John Bradley [mailto:john.bradley at wingaa.com]
> Sent: Wednesday, August 26, 2009 10:24 AM
> To: openid-general at lists.openid.net
> Cc: Peter Williams
> Subject: [OpenID] typepads interesting service for leaving comments
>
> Peter,
>
> The xri.net proxy is redirecting the RP's discovery to your default
> service via a http 302.  This happens to be your contact page as you
> have your XRDS configured.
>
> At that point the RP is doing HTML discovery.
> If you look at the HTML of your contact page it contains:
> <link rel="openid.server" href="https://authn.freexri.com/authentication/
> " />
> <link rel="openid2.provider" href="https://authn.freexri.com/authentication/
> " />
> <link rel="openid.delegate" href="http://xri.net/@!E459.819D.771.7990!5B62.6F13.7602.5176
> " />
> <link rel="openid2.local_id" href="http://xri.net/@!E459.819D.771.7990!5B62.6F13.7602.5176
> " />
> The RP never sees the XRDS.  You have a simple case of delegation via
> HTML tags.
> You could change your contact page to include a X-XRDS-Location or
> delegate to someplace else as you like.
> Changing your XRDS contact service will let you point to a blog or any
> other page with the correct markup to use as a openID.   However the
> target URL will become your claimed_id.
> John B.
>
> On 26-Aug-09, at 12:48 PM, openid-general-request at lists.openid.net
> wrote:
>
>> Date: Wed, 26 Aug 2009 08:18:33 -0700
>> From: Peter Williams <pwilliams at rapattoni.com>
>> Subject: [OpenID] typepads interesting service for leaving comments;
>>      per synonym delegation of OPs
>> To: "openid-general at lists.openid.net"
>>      <openid-general at lists.openid.net>
>> Message-ID:
>>      <BFBC0F17A99938458360C863B716FE463DCDF23913 at simmbox01.rapnt.com>
>> Content-Type: text/plain; charset="us-ascii"
>>
>> http://aws.typepad.com/aws/2009/08/introducing-amazon-virtual-private-cloud-vpc.html
>> has a signin form. Rather than "sign" a comment, you just login to
>> the commenting system (and can logout). Unlike google blogging, you
>> don't need to have/retain a blog-side account.
>>
>> So, I signed in.
>>
>> First with home_pw.myopenid.com (using my good ol myopenid account).
>>
>> Second with http://xri.net/@blog*lockbox (the url form of my good ol
>> XRI from freexri.com).
>>
>> The really interesting part was the second login.
>>
>>
>> a.       The freexri.com OP UX notes the cid, and asks me to confirm
>> that this long number is my identity. ( I just said yes, like the
>> average consumer will). After all, this is all the OP knows about
>> me, on the typepad site, by design.
>>
>>
>>
>> b.      After Openid Auth is all done, the commenting form then
>> views me as: contact.freexri.com/contact/@blog*lockbox<mailto:contact.freexri.com/contact/@blog*lockbox
>>> - a URL that presumably folks can use to followup with me about my
>> own rant (seeing as the site is a messaging frontend to my (hidden)
>> emailbox).
>>
>> Im not real competent enough in XRI and SEP selection parameters to
>> know... but I half believe that if I fiddle around with my XRD
>> enough I - the user! - can actually control the URL shown in (b).
>>
>> We are almost there! This was  viable, mainstream and has UCI (vs fb-
>> style) features that were generally comprehensible. They gave me
>> what I USED TO THINK OPENID WAS ALL ABOUT (a bit of autonomy from
>> providers).
>>
>> It also revealed a feature that I don't understand. The XRI variant
>> identity WAS SUPPOSED to do delegation to myopenid rather than the
>> XRI server showing its own login page as an OP. And, it USED TO WORK.
>>
>> When I look at the config of my XRD (at my freexri.com site), I note:
>>
>> This i-service [openid] is bound to this specific XRI instead of its
>> authority. This means that it will not be shared by synonyms of this
>> XRI."
>>
>> Im GUESSING that since the openid consumer focused (per the spec) on
>> the XRI cid rather than XRI synonym I used, the rules in my XRD mean
>> that typepad RP does NOT detect that I have delegation armed (for
>> that synonym).
>>
>>
>

More information about the general mailing list