[OpenID] Google discovery prototype: host-meta from Google

[Manger, James H]

It is good to see Google trying new ideas with OpenID, such as their proof-of-concept for an OpenID Provider for Google hosted domains (https://sites.google.com/site/oauthgoog/fedlogininterp/openiddiscovery).



The protocol documentation offers a Google URI for starting discovery about a hosted domain. That is, start at https://www.google.com/accounts/o8/host-meta?hd=example.com to discovery the OpenID details for an example.com user (by getting a pointer to an XRDS doc that contains an OP URI to send an auth request to).



This doesn’t scale. If Google, Yahoo, Microsoft, Xxx, Yyy… all ran OPs for hosted domains then an RP would have to try many discovery requests (and each RP would try a different subset).

This is probably not secure. Google could lie that is was the OP for a domain that it did not host (though I assume this is unlikely).



Perhaps Google URIs for other domains host-meta files are only a temporary hack for a demo.

Alternatively, there might be a significant number of groups who would like to use a hosted OP, but for whom it is still quite awkward to add even a single host-meta file to their web server.



Q. Are the Google host-meta URIs a temporary hack for a demo, or a required feature for OpenID adoption?

Q. Will the reported changes to JanRain’s RPX service to support the Google proof-of-concept mean that the Google URIs for host-meta are used by production RPs (such as Sears)?





P.S. The protocol doc mentions http://example.com/.well-known/host-meta and http://example.com/host-meta (for IdP and user discovery respectively. I guess one of these is a typo.





James Manger
James.H.Manger at team.telstra.com<mailto:James.H.Manger at team.telstra.com>
Identity and security team — Chief Technology Office — Telstra

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090714/5566922c/attachment.htm>