[OpenID] XRD signing and a new kind of Claimed Identifier

Fri Jun 5 18:05:25 UTC 2009

The XRD 1.0 spec will define how to sign a XRD.

There are several trust models for that.   It is anticipated that for  
openID the default trust model will use SSL certs where the subject  
(formerly known as CanonicalID) of the XRD is a URL.

We expect different trust models to evolve for different use cases,  
including self signed.

It will be up to openID to decide what if any of the possible trust  
models are accepted.

A decision could be taken to ignore XRD signatures and rely on SSL  
directly.
The existing XML Dsig in XRDS has gone largely unused.
Though there are many use cases like delegating return_to and others  
that benefit from signed XRD.

As Johannes points out LID and other protocols like XDI happily  
publish public keys in XRDS now.

I believe the issue is that openID is tied to a particular notion of a  
redirect authentication protocol.

LID and other XRD/S discovery based authentication methods are not  
excluded for technical reasons now.

There is a political decision about what is openID, that needs to be  
taken before adding new or existing (LID) authentication methods can  
be productively discussed.

XRD 1.0 will not change that.

John B.

On 5-Jun-09, at 12:54 PM, general-request at openid.net wrote:

> Date: Fri, 5 Jun 2009 16:39:29 +0900
> From: Nat Sakimura <sakimura at gmail.com>
> Subject: Re: [OpenID] XRD signing and a new kind of Claimed Identifier
> To: Johannes Ernst <jernst+openid.net at netmesh.us>
> Cc: general <general at openid.net>
> Message-ID:
> 	<bf26e2340906050039l5117373fn6bffbdb4d6a5a13e at mail.gmail.com>
> Content-Type: multipart/alternative;
> 	boundary=00163630efc917b95f046b94fe90
>
> --00163630efc917b95f046b94fe90
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
>
> Secure XRD 1.0 will have public key and signature in it.
> It is currently vigorously drafted.
>
> TC's been evaluating two types of signature: constrained XML Dsig  
> which is
> essentially simplified c14n and no q-names (similar to SAML  
> signature), and
> new type of very simplistic signature, which Base64 the XRD and take  
> RSA-SHA
> over it (see: http://wiki.oasis-open.org/xri/XrdOne/SimpleSign) .  
> Majority
> of the TC is tending towards the former, but some members still feel  
> that
> the community would feel too complicated and implementation  
> compatibility
> will be an issue.
>
> The XRI TC/XRD specs team would welcome your input in this regards,
> although, as usual, technical suggestion made here does not get into  
> the
> spec because of the IPR contamination issues.
>
> Regards,
>
> =nat
>
>
> On Fri, Jun 5, 2009 at 1:40 PM, Johannes Ernst <jernst+openid.net at netmesh.us
>> wrote:
>
>> If I understand you correctly, you are essentially describing LID.
>>
>> http://lid.netmesh.org/wiki/LID_By_Example
>>
>>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2486 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090605/df525598/attachment-0002.bin>