[OpenID] Google discovery prototype: host-meta from Google

Santosh Rajan santrajan at gmail.com
Thu Jul 16 10:18:33 UTC 2009 

I somehow cant come to terms with this idea of coupling trust with discovery.

1) It complicates discovery.
2) "Trust" itself is a nebulous quantity. There are levels of trust. So what
level of trust are you going to go with? This will invariably lead to
disagrements. Each persons idea of trust is different. The concept of trust
has been there from the beginning of humankind. How are you going to
quantify this in the digital world?

Trust must be decoupled from discovery. We need to start with a simple basic
discovery with no trust addressed. Then we need to add layers of trust in
such a way that users and applications can pick and choose the level of
trust they need.

For eg. Discovery for logging into a blog, shopping site, or bank will be
the same. But each one requires a different level of trust.

So the kind of solution I would like to see is something like this (this is
just an example).

Layer 1. Basic Discovery Layer
Layer 2. Trust Level 1 - ssl
Layer 3. Trust Level 2 - signed XRD
Layer 4. Trust Level 3 - Signed XRD with cert chain

In such a scenario, we can have OP's who support different levels, RP's can
choose which level they require.

I have no idea how this can be done. But I am sure that we should not try to
solve all the problems at the same time. Let us come up with the Basic
Discovery Layer first. And then move upwards step by step.
 

SitG Admin wrote:
> 
>>Let me make the point more explicit:
> 
> Took me a while, but I think I'm finally beginning to get this. 
> Thanks for sticking with it.
> 
>>1. The design being discussed in the XRI TC allows sites to host 
>>their signed XRD documents anywhere in the Internet. It uncouples 
>>the trust elements of discovery from the path followed to perform 
>>discovery.
> 
> Discovery (via DNS, or XRI, or whatever) can thus be addressed 
> separately, with keys/certs the important point on which trust rests?
> 
>>2. The design being discussed at the XRI TC would allow sites to 
>>delegate trust to any other site of their choice, by signing 
>>delegation statements. This is necessary to really accomplish the 
>>vision in (1),
> 
> Delegation provided (and enforced) by signatures. Peter's concerns 
> are making more sense to me too, though, now; to keep trust truly 
> decoupled from the path followed, it wouldn't dictate a path for 
> revocation to follow, so how *do* we make certain that our trust is 
> not relying on certs that we just haven't found out yet had been 
> revoked?
> 
> But this is probably just me still catching up :)
> 
> -Shade
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
> 
> 


-----

Santosh Rajan
http://santrajan.blogspot.com http://santrajan.blogspot.com 
-- 
View this message in context: http://www.nabble.com/Google-discovery-prototype%3A-host-meta-from-Google-tp24474276p24513788.html
Sent from the OpenID - General mailing list archive at Nabble.com.

More information about the general mailing list