[OpenID] experimental namespace for openid.net
Santosh Rajan
santrajan at gmail.com
Sat Jul 11 02:49:34 UTC 2009
Yes please start one immediately with people who can afford to throw in a
substantial amount of time on this in the near future.
I am willing to put in 25 hrs a week for this, for the the next 4 weeks. I
am not up to speed on all the authentication technologies but at least I can
help with writing, co ordination etc if someone more experienced in all this
(and has less time to offer) can guide me.
As for the old discovery proposal I think it is as good as defunct now.
David Recordon wrote:
>
>
>
> I'd be very happy to help get a discovery working group spun up and
> charter them to modernize OpenID 2.0's discovery process.
>
> --David
>
> On Jul 10, 2009, at 11:58 AM, George Fletcher wrote:
>
>> +1 to http://experimental.openid.net
>>
>> It would be good to add this to the "repository" work Breno and John
>> are doing as having a registry for experimental URIs would be good
>> as well.
>>
>> Thanks,
>> George
>>
>> Dirk Balfanz wrote:
>>> [+general at openid.net <mailto:general at openid.net> for a broader
>>> audience]
>>>
>>> On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz <balfanz at google.com
>>> <mailto:balfanz at google.com
>>> >> wrote:
>>>
>>> Hi guys,
>>> Google would like to launch a feature in which we're allowing our
>>> Google Apps hosted domains to become OpenID providers. The
>>> authentication part of it is pretty simple - Google is already
>>> logging in users to their apps, so we can also host an OP endpoint
>>> for those domains and send assertions back to Relying Parties.
>>> What is more difficult is the discovery part. We have been working
>>> with the XRI TC to define a XRD-based discovery protocol that
>>> would allow this kind of hosting of discovery documents on behalf
>>> of our customers.
>>> We believe that providing proof-of-concept implementations drives
>>> standardization processes forward, so in this spirit we want to
>>> launch this feature in the near future, using a discovery protocol
>>> that as far as we can tell meets all the requirements of what the
>>> XRI TC is currently converging on, but which has not been vetted
>>> as an official standard (it's a chicken and egg thing - without
>>> PoC no standards, without standards by definition no
>>> standards-compliant implementations).
>>>
>>> While we were tossing around ideas
>>> <http://markmail.org/message/ixc5led2lobdwij2
>>> >in the
>>> standardization committees we just used random identifiers for new
>>> XML namespaces, etc. that we would need for this discovery
>>> protocol. Now that we're about to launch we need to decide what to
>>> call these things. We would like to use a namespace
>>> in http://specs.openid.net/... because we want this kind of
>>> discovery protocol to be part of OpenID, but we can't really use
>>> them because we don't have a next-generation discovery protocol
>>> yet.
>>> So what should we use? How
>>> about http://experimental.openid.net/... ? That way, Relying
>>> Parties know that what we're trying to do is be a part of the
>>> OpenID community and bring the protocol forward. On the other
>>> hand, this would also be a signal to the RP that they're using a
>>> feature that has not been vetted as a standard yet.
>>> For example, a discovery document for a domain balfanz.net
>>> <http://balfanz.net> at Google might look like this (notice the
>>> "experimental" namespace and the XML elements using it):
>>>
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>> <ds:SignedInfo>
>>> <ds:CanonicalizationMethod
>>> Algorithm="http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets
>>> " />
>>> <ds:SignatureMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1
>>> " />
>>> </ds:SignedInfo>
>>> <ds:KeyInfo>
>>> <ds:X509Data>
>>> <ds:X509Certificate>
>>> MIICgjCCA...
>>> </ds:X509Certificate>
>>> <ds:X509Certificate>
>>> MIICsDCCAhmgAwIB...
>>> </ds:X509Certificate>
>>> </ds:X509Data>
>>> </ds:KeyInfo>
>>> </ds:Signature>
>>> <XRD>
>>> <CanonicalID>balfanz.net <http://balfanz.net></CanonicalID>
>>> <Service priority="0">
>>> <Type>http://specs.openid.net/auth/2.0/server</Type>
>>> <Type>http://openid.net/srv/ax/1.0</Type>
>>> <Type>http://specs.openid.net/extensions/pape/1.0</Type>
>>> <URI>https://www.google.com/a/balfanz.net/o8/ud?be=o8</URI>
>>> </Service>
>>> <Service priority="0"
>>> xmlns:experimental="http://experimental.openid.net/google/2009/07/xmlns/
>>> ">
>>> <Type>http://www.iana.org/assignments/relation/describedby</
>>> Type>
>>> <MediaType>application/xrds+xml</MediaType>
>>>
>>> <experimental:URITemplate>https://www.google.com/accounts/o8/user-xrds?uri=
>>> {%uri}
>>> <https://www.google.com/accounts/o8/user-xrds?uri=%7B%uri%7D></
>>> experimental:URITemplate>
>>> <experimental:NextAuthority>hosted-id.google.com
>>> <http://hosted-id.google.com></experimental:NextAuthority>
>>> </Service>
>>> </XRD>
>>> </xrds:XRDS>
>>>
>>> What do you guys think?
>>>
>>> Dirk.
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> specs mailing list
>>> specs at openid.net
>>> http://openid.net/mailman/listinfo/specs
>>>
>>
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-----
Santosh Rajan
http://santrajan.blogspot.com http://santrajan.blogspot.com
--
View this message in context: http://www.nabble.com/Re%3A-experimental-namespace-for-openid.net-tp24432471p24436805.html
Sent from the OpenID - General mailing list archive at Nabble.com.
More information about the general
mailing list