[OpenID] User-editable XRDS files?

Fri Feb 6 00:58:56 UTC 2009

Yup - and that's the weakness of the OpenID security model - the OP is too powerful (you the user are screwed when the OP decides to go out of policy). Of course, there is a counter - exploit vanity delegation, and performs selective release of service elements per RP.

Contrast Opendid Auth's design with SAML websso design, where some SAML profiles have the _user_ dynamically sign a "confirmation" element within the assertion ...mostly to show control is jointly shared with the OP TTP. Its up to RPs to enforce this of course. (RPs in openid could be doing something similary, by only accepting soliciting assertions from OPs sourced to user [dynamically] signed XRDS files, too)

Funny to see the pretty common characterization that vanity openids are "advanced" - and basically "things for weirdos". Obviously, there is a major business venture opportunity here - proxying the major OPs - by getting the user's XRDS seen by the discovery agent of the RP before that of the major OPs brands.

I can see the typical OP (like the typical CA) just hating that idea. They always want  to control the first and last mile of the user experience.

> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Martin Atkins
> Sent: Thursday, February 05, 2009 4:46 PM
> To: general at openid.net
> Subject: Re: [OpenID] User-editable XRDS files?
>
> Peter Williams wrote:
> > And the final steps...
> >
> > Copy the result to some simple public file store outside of the
> control of the OP.
> >
>
> No.
>
> That would obviously be an optional step for an advanced user who his
> hosting his own identifier.
>
> If you don't trust whoever hosts your identifier, then you're already
> screwed.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general