[OpenID] Google discovery prototype: host-meta from Google

Dirk Balfanz balfanz at google.com
Tue Jul 14 18:23:10 UTC 2009 

On Mon, Jul 13, 2009 at 11:16 PM, Manger, James H <
James.H.Manger at team.telstra.com> wrote:

>  It is good to see Google trying new ideas with OpenID, such as their
> proof-of-concept for an OpenID Provider for Google hosted domains (
> https://sites.google.com/site/oauthgoog/fedlogininterp/openiddiscovery).
>
>
>
> The protocol documentation offers a Google URI for starting discovery about
> a hosted domain. That is, start at
> https://www.google.com/accounts/o8/host-meta?hd=example.com to discovery
> the OpenID details for an example.com user (by getting a pointer to an
> XRDS doc that contains an OP URI to send an auth request to).
>
>
>
> This doesn’t scale. If Google, Yahoo, Microsoft, Xxx, Yyy… all ran OPs for
> hosted domains then an RP would have to try many discovery requests (and
> each RP would try a different subset).
>
You could solve that, as anything in computer science, with an additional
level of indirection <http://sites.google.com/site/oauthgoog/Home/pds>,
i.e., have a service that tells the RP which service is hosting the user's
OP. Alternatively, domains will hopefully be serving their own host-metas,
so there may or may not be a need for hosting host-metas.

> This is probably not secure. Google could lie that is was the OP for a
> domain that it did not host (though I assume this is unlikely).
>
Actually, one of the points of this exercise was to make it _more_ secure
than Yadis discovery. The host-meta is simply used as a hint as to where you
might find the site's signed XRD(S) document. If the host-meta points you to
the wrong place, chances are the thing it points you to doesn't have the
signature it needs to satisfy the resolver.

Dirk.


>
>
> Perhaps Google URIs for other domains host-meta files are only a temporary
> hack for a demo.
>
> Alternatively, there might be a significant number of groups who would like
> to use a hosted OP, but for whom it is still quite awkward to add even a
> single host-meta file to their web server.
>
>
>
> Q. Are the Google host-meta URIs a temporary hack for a demo, or a required
> feature for OpenID adoption?
>
> Q. Will the reported changes to JanRain’s RPX service to support the Google
> proof-of-concept mean that the Google URIs for host-meta are used by
> production RPs (such as Sears)?
>
>
>
>
>
> P.S. The protocol doc mentions http://example.com/.well-known/host-metaand
> http://example.com/host-meta (for IdP and user discovery respectively. I
> guess one of these is a typo.
>
>
>
>
>
> *James Manger*
> James.H.Manger at team.telstra.com
> Identity and security team — Chief Technology Office — Telstra
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090714/a0c3b097/attachment.htm>

More information about the general mailing list