[OpenID] experimental namespace for openid.net

Peter Williams pwilliams at rapattoni.com
Sat Jul 11 19:40:34 UTC 2009 

I successfully subclassed the openxri java server to sign XRDs using xmldsig - removing the SAML2 assertion wrapper used by XRI's own trusted resolution procedures -- when providing evidence that agents are authoritative (or delegates are authorized) according to the native XRI validation logic. The tool produces signed output similar to the mail below.

http://cid-05061d4609325b60.skydrive.live.com/self.aspx/Public/openxri/signxrd.zip if someone would like to check my bit of additional signing and formatting work is done "correctly".

(a) since all major programming platforms already have an xmldsig library that is well settled in terms of functionality, interoperability and access to crypto hardware, I'm really not sure what we gain in openid-land by using the Google/TC canonicalization method. I don't have that canonicalization in my FIPS 140-1 level 3 crypto device, and probably wont for 2+ years (until and IF the cryptomodule vendor decides to update the firmware, having gone to the trouble of getting a new NIST FIPS certification).

For my part, the new variant of xml signing is not "simpler" : it means writing crypto code; and that code has to run in software crypto modules that are at most FIPS 140-1 level 1. With the alternative, more standard scheme for signing, so far I've needed ZERO crypto-programming skills. All I've done to sign XRDs is act as an application programmer (albeit probably one of the worst in the world). At my skill level it took forever, but at the end of the day all I had to do was make a subclass and do some virtual overrides.

(b) The XRD type defined in XRI Resolution v2 already allows arbitrary extensions to be placed at the end of the xml serializing of the standard elements. Why not place the digital signature in that area as an extension, formally? That placement would line up better for systems using existing XRD libraries, as they are all ready structured to add code for extensions in that extensibility area.

Peter

<?xml version="1.0" encoding="UTF-8"?>
<XRDS xmlns="xri://$xrds">
<XRD xml:id="5dc13ffd-6e48-11de-862f-4f7b42809b25" xmlns="xri://$xrd*($v*2.0)">
  <Query>@blog*lockbox</Query>
  <Status ceid="off" cid="off" code="100">Success</Status>
  <ServerStatus code="100">Success</ServerStatus>
  <CanonicalID>@!E459.819D.771.7990!5B62.6F13.7602.5176</CanonicalID>
  <Service priority="0">
   <Type>http://www.iana.org/assignments/relation/describedby</Type>
   <MediaType>application/xrds+xml</MediaType>
   <experimental:NextAuthority>hosted-id.google.com</experimental:NextAuthority>
   <experimental:URITemplate>https://www.google.com/accounts/o8/user-xrds?uri={%uri}</experimental:URITemplate>
  </Service>
  <Service>
   <ProviderID>@!E459.819D.771.7990!5B62.6F13.7602.5176</ProviderID>
   <Type select="true">xri://$res*auth*($v*2.0)</Type>
   <MediaType select="false">application/xrds+xml</MediaType>
   <URI append="none" priority="2">http://localhost:80/server/resolve/ns/@!E459.819D.771.7990!5B62.6F13.7602.5176/</URI>
   <URI append="none" priority="1">https://localhost:443/server/resolve/ns/@!E459.819D.771.7990!5B62.6F13.7602.5176/</URI>
  </Service>
  <Server>OpenXRI</Server>
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
   <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
    <ds:Reference URI="#5dc13ffd-6e48-11de-862f-4f7b42809b25" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
     </ds:Transforms>
     <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
     <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">lDSA829isbUDf8vzDjpiRyq/G4U=</ds:DigestValue>
    </ds:Reference>
   </ds:SignedInfo>
   <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
ZNxc4Yvgztyl5LthPZVfGxPQyPNa5Wdun8XRZpJqbWBA/mWYFFq5IEnyjOvaTrwnEjMWVRTrvLPv
3DRtSwrpWcLjk+dXUUrVEphWIMEdaEsEcY0YLlzMOJNdp8TRGz/drhRgE/qJZVoryW8l1Au6hk8f
yo8fTt/goird9vj+kPo=
</ds:SignatureValue>
  </ds:Signature>
</XRD>
</XRDS>
________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Dirk Balfanz [balfanz at google.com]
Sent: Friday, July 10, 2009 11:25 AM
To: specs at openid.net; general at openid.net List
Subject: Re: [OpenID] experimental namespace for openid.net

[+general at openid.net<mailto:general at openid.net> for a broader audience]

On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz <balfanz at google.com<mailto:balfanz at google.com>> wrote:
Hi guys,

Google would like to launch a feature in which we're allowing our Google Apps hosted domains to become OpenID providers. The authentication part of it is pretty simple - Google is already logging in users to their apps, so we can also host an OP endpoint for those domains and send assertions back to Relying Parties. What is more difficult is the discovery part. We have been working with the XRI TC to define a XRD-based discovery protocol that would allow this kind of hosting of discovery documents on behalf of our customers.

We believe that providing proof-of-concept implementations drives standardization processes forward, so in this spirit we want to launch this feature in the near future, using a discovery protocol that as far as we can tell meets all the requirements of what the XRI TC is currently converging on, but which has not been vetted as an official standard (it's a chicken and egg thing - without PoC no standards, without standards by definition no standards-compliant implementations).

While we were tossing around ideas <http://markmail.org/message/ixc5led2lobdwij2> in the standardization committees we just used random identifiers for new XML namespaces, etc. that we would need for this discovery protocol. Now that we're about to launch we need to decide what to call these things. We would like to use a namespace in http://specs.openid.net/... because we want this kind of discovery protocol to be part of OpenID, but we can't really use them because we don't have a next-generation discovery protocol yet.

So what should we use? How about http://experimental.openid.net/... ? That way, Relying Parties know that what we're trying to do is be a part of the OpenID community and bring the protocol forward. On the other hand, this would also be a signal to the RP that they're using a feature that has not been vetted as a standard yet.

For example, a discovery document for a domain balfanz.net<http://balfanz.net> at Google might look like this (notice the "experimental" namespace and the XML elements using it):

<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
  <ds:SignedInfo>
  <ds:CanonicalizationMethod Algorithm="http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets" />
  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
  </ds:SignedInfo>
  <ds:KeyInfo>
  <ds:X509Data>
  <ds:X509Certificate>
  MIICgjCCA...
  </ds:X509Certificate>
  <ds:X509Certificate>
  MIICsDCCAhmgAwIB...
  </ds:X509Certificate>
  </ds:X509Data>
  </ds:KeyInfo>
  </ds:Signature>
  <XRD>
  <CanonicalID>balfanz.net<http://balfanz.net></CanonicalID>
  <Service priority="0">
  <Type>http://specs.openid.net/auth/2.0/server</Type>
  <Type>http://openid.net/srv/ax/1.0</Type>
  <Type>http://specs.openid.net/extensions/pape/1.0</Type>
  <URI>https://www.google.com/a/balfanz.net/o8/ud?be=o8</URI>
  </Service>
  <Service priority="0" xmlns:experimental="http://experimental.openid.net/google/2009/07/xmlns/">
  <Type>http://www.iana.org/assignments/relation/describedby</Type>
  <MediaType>application/xrds+xml</MediaType>
  <experimental:URITemplate>https://www.google.com/accounts/o8/user-xrds?uri={%uri}<https://www.google.com/accounts/o8/user-xrds?uri=%7B%uri%7D></experimental:URITemplate>
  <experimental:NextAuthority>hosted-id.google.com<http://hosted-id.google.com></experimental:NextAuthority>
  </Service>
  </XRD>
</xrds:XRDS>

What do you guys think?

Dirk.

More information about the general mailing list