[OpenID] experimental namespace for openid.net
Peter Williams
pwilliams at rapattoni.com
Fri Jul 10 19:36:24 UTC 2009
Lets remember that we are operating on this discovery topic in a culture in which corporate board members have access to political and economic info that community board members do not have, that members do not have, and folks in the openid community (eg peter) do not have. To be fair, the likes of peter should have no such acess!
About the only redeeming feature was that the goverance apparatus was only used for PR purposes, vs technical decision making.
If google is making openid ops of millions of domains, I can live with a bit of pr stage management to get positive initial press. The good of such massive adoption outweighes the evil of a bit of staged news management.
Now the cat is out of the bag, I think that even nominal endorsement (allowing use of the domain) should require complete technical disclosure. There should be an authroized release of the xri tc draft to the specs list. Opend.net experimental domains may only referenced by those protools for which (authorized) draft dumps have been made.
-----Original Message-----
From: George Fletcher <gffletch at aol.com>
Sent: Friday, July 10, 2009 11:59 AM
To: Dirk Balfanz <balfanz at google.com>
Cc: specs at openid.net <specs at openid.net>; general at openid.net List <general at openid.net>
Subject: Re: [OpenID] experimental namespace for openid.net
+1 to http://experimental.openid.net
It would be good to add this to the "repository" work Breno and John are
doing as having a registry for experimental URIs would be good as well.
Thanks,
George
Dirk Balfanz wrote:
> [+general at openid.net <mailto:general at openid.net> for a broader audience]
>
> On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz <balfanz at google.com
> <mailto:balfanz at google.com>> wrote:
>
> Hi guys,
>
> Google would like to launch a feature in which we're allowing our
> Google Apps hosted domains to become OpenID providers. The
> authentication part of it is pretty simple - Google is already
> logging in users to their apps, so we can also host an OP endpoint
> for those domains and send assertions back to Relying Parties.
> What is more difficult is the discovery part. We have been working
> with the XRI TC to define a XRD-based discovery protocol that
> would allow this kind of hosting of discovery documents on behalf
> of our customers.
>
> We believe that providing proof-of-concept implementations drives
> standardization processes forward, so in this spirit we want to
> launch this feature in the near future, using a discovery protocol
> that as far as we can tell meets all the requirements of what the
> XRI TC is currently converging on, but which has not been vetted
> as an official standard (it's a chicken and egg thing - without
> PoC no standards, without standards by definition no
> standards-compliant implementations).
>
> While we were tossing around ideas
> <http://markmail.org/message/ixc5led2lobdwij2>in the
> standardization committees we just used random identifiers for new
> XML namespaces, etc. that we would need for this discovery
> protocol. Now that we're about to launch we need to decide what to
> call these things. We would like to use a namespace
> in http://specs.openid.net/... because we want this kind of
> discovery protocol to be part of OpenID, but we can't really use
> them because we don't have a next-generation discovery protocol yet.
>
> So what should we use? How
> about http://experimental.openid.net/... ? That way, Relying
> Parties know that what we're trying to do is be a part of the
> OpenID community and bring the protocol forward. On the other
> hand, this would also be a signal to the RP that they're using a
> feature that has not been vetted as a standard yet.
>
> For example, a discovery document for a domain balfanz.net
> <http://balfanz.net> at Google might look like this (notice the
> "experimental" namespace and the XML elements using it):
>
> <?xml version="1.0" encoding="UTF-8"?>
> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets" />
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> </ds:SignedInfo>
> <ds:KeyInfo>
> <ds:X509Data>
> <ds:X509Certificate>
> MIICgjCCA...
> </ds:X509Certificate>
> <ds:X509Certificate>
> MIICsDCCAhmgAwIB...
> </ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </ds:Signature>
> <XRD>
> <CanonicalID>balfanz.net <http://balfanz.net></CanonicalID>
> <Service priority="0">
> <Type>http://specs.openid.net/auth/2.0/server</Type>
> <Type>http://openid.net/srv/ax/1.0</Type>
> <Type>http://specs.openid.net/extensions/pape/1.0</Type>
> <URI>https://www.google.com/a/balfanz.net/o8/ud?be=o8</URI>
> </Service>
> <Service priority="0" xmlns:experimental="http://experimental.openid.net/google/2009/07/xmlns/">
> <Type>http://www.iana.org/assignments/relation/describedby</Type>
> <MediaType>application/xrds+xml</MediaType>
> <experimental:URITemplate>https://www.google.com/accounts/o8/user-xrds?uri={%uri}
> <https://www.google.com/accounts/o8/user-xrds?uri=%7B%uri%7D></experimental:URITemplate>
> <experimental:NextAuthority>hosted-id.google.com
> <http://hosted-id.google.com></experimental:NextAuthority>
> </Service>
> </XRD>
> </xrds:XRDS>
>
> What do you guys think?
>
> Dirk.
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list