[OpenID] OpenID Discovery for Email like identifiers - Draft 0.1

Thu Jun 4 20:21:30 UTC 2009

There is no open discovery protocol. There is simply use of 2 externally defined protocols (yadis and xri resolution).

As it stands, openid auth spec constrains ane canonicalizes c the allowed inputs to those protocols, when used.

Are you guys also proposing that an op might discover an rp realm xrd, from a rp identified in openid auth that is not either an http/s scheme url or an xri?

Will it be mandatory for op to support webfinger, if the rp realm chooses to so identify itself?

Why this one and not all the others such as gc and ldap? (apart from, its in the news today)

________________________________
From: David Fuelling <sappenin at gmail.com>
Sent: Thursday, June 04, 2009 1:06 PM
To: Santosh Rajan <santrajan at gmail.com>
Cc: general at openid.net <general at openid.net>
Subject: Re: [OpenID] OpenID Discovery for Email like identifiers - Draft 0.1

P.S. -- Just to clarify, I don't speak for the WebFinger folks and have only been lurking on that list.

On Thu, Jun 4, 2009 at 7:23 PM, David Fuelling <sappenin at gmail.com<mailto:sappenin at gmail.com>> wrote:
Replies inline...

On Thu, Jun 4, 2009 at 5:10 AM, Santosh Rajan <santrajan at gmail.com<mailto:santrajan at gmail.com>> wrote:
The way I see it we are the "end-users" for webfinger and XRD. Their
objective will be to cater to the our requirements and others like us. We
need not wait for them to get on with our work. Actually they can use our
feedback to refine and fine tune their work.

With regard to webfinger, that spec needs to be "specified" before we can use it in OpenID 2.1.  My thinking is that it would be helpful to start formalizing webfinger since in the OpenID 2.1 spec, there will probably just be a single sentence or two saying, "email-like identifiers are supported in OpenID discovery by using the webfinger protocol".

>From a specification development perspective, I'm not sure there's a lot more we need to do on the OpenID side when it comes to email identifiers, except resolve any issues relating to IPR.  Do you agree?

That said, how do we resolve the IPR issues surrounding webfinger (basically, all the points Chris Messina mentioned in his previous message).  To me this hinges on the webfinger folks picking some sort of formalized standards process to work in, so that OpenID can use it properly.

If you look at XRD, that's moving forward inside of OASIS.  OAuth is moving forward inside of IETF.  There's the OWF, but I'm not sure if they're ready to "house" a spec just yet.  And lastly, there's the OpenID Foundation (though admitedly this seems like an odd place to house webfinger).

So I think we should form a working group of people like you, who have
already worked on this, and others who may want to work on this.

But I also agree with Chris's view that we don't need more working groups
and need to fold this into 2.1.

+1.  I don't think OpenID 2.1 Discovery needs its own working group, because I can see that section being only 2 sentences (I'm oversimplifying, but you get the idea):

 1.  OpenID discovery can be used on any identifier that is discoverable via XRD.
 2.  Email-like identifier discovery should use webfinger.

The only two reasons i can think of for the need of a separate working group
is to maintain momentum, and to have a group people solely focussed on
discovery part of 2.1.

I think the people focusing on Discovery are already alive and kicking in the XRD TC.  They're going to solve Discovery in a general sort of way, allowing OpenID to utilize it in a specific manner.  In essence, the XRD folks are doing most of the work already.

Moving forward, we need to figure out how OpenID 2.1 is going to be able to use WebFinger.