[OpenID] experimental namespace for openid.net

Dirk Balfanz balfanz at google.com
Fri Jul 10 18:56:43 UTC 2009 

On Fri, Jul 10, 2009 at 11:46 AM, Peter Williams <pwilliams at rapattoni.com>wrote:

> There is a relationship between 2 https urls (which have their own trust
> chains of certs), and there is a chain of certs in the xrd.
>
> Is there a writeup of the validation logic, combining all the trust signals
> for the signing keys?
>

There is something here:
https://sites.google.com/site/oauthgoog/fedlogininterp/openiddiscovery, but
mostly this has been a discussion on the XRI TC.

But anyway, the point wasn't really to ask whether the discovery mechanism
makes sense (that discussion is happening in the XRI TC), but which XML
namespaces to use in a proof-of-concept implementation that is supposed to
showcase the state of the discussion before the spec is gelled down.

Dirk.


> Its looks rather like its setup for a saml hok type validation logic, where
> the ssl client has to show knowledge of a secret.if that secret is derived
> (properly) from the ssl master secret, such that uer-sr ssl session can
> validate the hok secret, folk are on the right track. But folkshave to
> disclose the crypto used to link the 2 ssl sessions. If the crypto for that
> leverages the key in the xrd's own certs, then I can see how it would all
> work - and I see how that can also serve as a "custom" association handle
> (rather than using the awful inband dh).
>
>
>
>
> ________________________________
> From: Dirk Balfanz <balfanz at google.com>
> Sent: Friday, July 10, 2009 11:26 AM
> To: specs at openid.net <specs at openid.net>; general at openid.net List <
> general at openid.net>
> Subject: Re: [OpenID] experimental namespace for openid.net
>
> [+general at openid.net<mailto:general at openid.net> for a broader audience]
>
> On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz <balfanz at google.com<mailto:
> balfanz at google.com>> wrote:
> Hi guys,
>
> Google would like to launch a feature in which we're allowing our Google
> Apps hosted domains to become OpenID providers. The authentication part of
> it is pretty simple - Google is already logging in users to their apps, so
> we can also host an OP endpoint for those domains and send assertions back
> to Relying Parties. What is more difficult is the discovery part. We have
> been working with the XRI TC to define a XRD-based discovery protocol that
> would allow this kind of hosting of discovery documents on behalf of our
> customers.
>
> We believe that providing proof-of-concept implementations drives
> standardization processes forward, so in this spirit we want to launch this
> feature in the near future, using a discovery protocol that as far as we can
> tell meets all the requirements of what the XRI TC is currently converging
> on, but which has not been vetted as an official standard (it's a chicken
> and egg thing - without PoC no standards, without standards by definition no
> standards-compliant implementations).
>
> While we were tossing around ideas <
> http://markmail.org/message/ixc5led2lobdwij2> in the standardization
> committees we just used random identifiers for new XML namespaces, etc. that
> we would need for this discovery protocol. Now that we're about to launch we
> need to decide what to call these things. We would like to use a namespace
> in http://specs.openid.net/... because we want this kind of discovery
> protocol to be part of OpenID, but we can't really use them because we don't
> have a next-generation discovery protocol yet.
>
> So what should we use? How about http://experimental.openid.net/... ? That
> way, Relying Parties know that what we're trying to do is be a part of the
> OpenID community and bring the protocol forward. On the other hand, this
> would also be a signal to the RP that they're using a feature that has not
> been vetted as a standard yet.
>
> For example, a discovery document for a domain balfanz.net<
> http://balfanz.net> at Google might look like this (notice the
> "experimental" namespace and the XML elements using it):
>
> <?xml version="1.0" encoding="UTF-8"?>
> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
>  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>  <ds:SignedInfo>
>  <ds:CanonicalizationMethod Algorithm="
> http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets" />
>  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
> />
>  </ds:SignedInfo>
>  <ds:KeyInfo>
>  <ds:X509Data>
>  <ds:X509Certificate>
>  MIICgjCCA...
>  </ds:X509Certificate>
>  <ds:X509Certificate>
>  MIICsDCCAhmgAwIB...
>  </ds:X509Certificate>
>  </ds:X509Data>
>  </ds:KeyInfo>
>  </ds:Signature>
>  <XRD>
>   <CanonicalID>balfanz.net<http://balfanz.net></CanonicalID>
>   <Service priority="0">
>  <Type>http://specs.openid.net/auth/2.0/server</Type>
>  <Type>http://openid.net/srv/ax/1.0</Type>
>  <Type>http://specs.openid.net/extensions/pape/1.0</Type>
>  <URI>https://www.google.com/a/balfanz.net/o8/ud?be=o8</URI>
>  </Service>
>  <Service priority="0" xmlns:experimental="
> http://experimental.openid.net/google/2009/07/xmlns/">
>  <Type>http://www.iana.org/assignments/relation/describedby</Type>
>  <MediaType>application/xrds+xml</MediaType>
>   <experimental:URITemplate>
> https://www.google.com/accounts/o8/user-xrds?uri={%uri}<
> https://www.google.com/accounts/o8/user-xrds?uri=%7B%uri%7D
> ></experimental:URITemplate>
>  <experimental:NextAuthority>hosted-id.google.com<
> http://hosted-id.google.com></experimental:NextAuthority>
>   </Service>
>  </XRD>
> </xrds:XRDS>
>
> What do you guys think?
>
> Dirk.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090710/570ff39a/attachment.htm>

More information about the general mailing list