[OpenID] experimental namespace for openid.net

[Peter Williams]

"I think a proof of concept is a good idea."

-----------

Its hard to understand the technical discussion intelligently, as I for one have had no particualr access to notions such as host-meta documents. I did quickly read the google disclosure about host-meta documents, and what I see at first glance is this:-


 *   The notion we already have in openid - of an signed-link between meta-provider and authority - has moved from the existing XRD's SAML assertion's nameid/namequalifier/subject field to a couple of locator fields in a new type of SEP.

The XRD is signed directly by xmldsig, rather than using the SAML token as a signing scheme (which just removes a bit of superflous syntax).

The xmldsig has a keyinfo specifically showcasing a cert *chain* - of unknown role. The role of X.509's built-in hierarchical or policy-driven namespace-delegation-management controls is UNKNOWN.

The intent is to eventually sign an XRD withOUT reference to XRDS semantics.

Therefore, rather than resolve the XRD.SAML2.Subject's nameid-qualifier (to validate the authoritavieness of the SEP's link between namespaces provider and delegate), the RP will now follow the SEP's link to another meta-document - another (signed) XRD.


If the above is the main thrust of the logic, I can go off an program the openxri server to generate such a world, and see what happens in prototype interworking between discovery agents. It looks like about 16h work, at this point; mostly fiddling around with existing messages and syntaxes.



Application of such core discovery processes to openid RP (where some kind of RP extension actually "tests" the authorization of an IDP service bus ("provider") to act for a given OP domain ("tenant") seems a distinct topic to the process of merely collecting and validating the authority-claim evidence.