[OpenID] blogspot and google as OPs; synonyms

Peter Williams pwilliams at rapattoni.com
Mon Jun 8 05:36:00 UTC 2009 

Something well written, for background on the relationship between openid2 and XRI authority synonyms.

http://www.oasis-open.org/committees/download.php/22395/xri-polyarchy-

take the notion of the spoofing arc, described above, and its resolution (dynamic canonical id verification) and augment these properties with another set of (polyarchical) cerification statements from the https cert chains supporting statically-signed XRD files.


 ________________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Peter Williams [pwilliams at rapattoni.com]
Sent: Sunday, June 07, 2009 9:17 PM
To: general at openid.net
Subject: Re: [OpenID] blogspot and google as OPs; synonyms

This may be hard to follow (mostly as Im learning, by writing). No apologies, if you read further.

If i understand inherited synonym value-add over XRI of openid2 correctly, I'm goint to assume from side channel conversations that openid 2.0 intends that an RP shall be able to test that the authority named using an xri and a authority named using a (non HXRI) url can be determined to be one and the same, because one can test that the xri and url are synonyms (in the XRI authority sense) :-

what I should be able to do as a result of that world, at least, is have

"@blog*googlelock/+email" return the same value as an AX query issued to blogspot.com, for the ax schema attribute for email.

why?

because

1. @blog*googelock *(and its ref-grade synonyms in XRI land) all identify the same openid and thus ax service provider (google), and

2. google apparently has, outside XRI semantics, made blogspot.com another synonym for the gmail - indicating that the (OP) authorities are the same. (gmail OP and blogspot OP are just 2 manufestations of the same authentication authority and attribute authority).


Now, assuming Ive got the simple case of attribute retreival correct, then lets turn to the more interesting case of authority semantics (plural), where the signed XRD notion [ for openid] might allow us for the first time to leverage https cert chains (and their "indepedent" and "tamperproof" 'certification' signals).

Let me assume that the [signed] XRD for each of google subscribers and blogspot subscribers will have as their issuer fields https://google.com... for google OP, and https://blogspot.com.... for the case of blogspot OP. ,The nature of openid auth v2 protocols's "realm security" control is such that, despite the distinct XRD signatures and cert chains, that each OP will always have a different auth handle with the same RP. But, what more can we say about the the cert chain that supports the https-based trust model that formally now addressed verification of the signature on the XRD files?

Will the elements of the chain be different or the same, for each OP providing a signed XRD?

Lets try an thought experiment.

One way to indicate to an RP that two (non HXRI) URLs are synonyms (in the XRI sense) or that an XRI and URL are synonyms (again in the XRI sense) would be to enable the RP __via certs processing__ to determine that the 2 https endpoints from which are retreived the 2 signed and issued XRD files do infact share a common intermediate CA (as identified by its [RP-authenticated] public key), and each have published in the X.509 standard AUTHORITY alternative names of the https EE cert a URI extension ; where the 2 URI values - becuase of the synonymous nature of the 2 authorities - SHALL represent an "equivalent" XRI name (in HXRI format).

Surely, we could allow RPs to test now whether the canonical ids of the 2 HXRIs match (allowing for each cert's HXRI to use a differnt proxy, even). From the determination of equality, an RP might infer that the CA  __certifies__ that the URI authority is a synonym for the XRI authority (or two URI authorities are the same entity, similarly).


If we view the cert chain as the medium for representing the polyarchical relationship between URL and XRI authorities, surely the cert's alternative authority name is acting as localID(s). Per most professional CA CPSs, the cert is nothing other than a mobile copy of a record in a naming authority registry. Thus, a cert attesting to the equivalency of two authorities in two other worlds (URLs and XRIs) is entirely consistent with what X.509 3 certs were supposed to do, with the alternative AUTHORITY name extension field.

Does this make any sense, at all, BTW?

My gut tells me there is something here, and its an infrastructure sized issue. And, its very compatible with the (original) VeriSign business model, moved forward a decade to now address "authority" certification!

 s________________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Peter Williams [pwilliams at rapattoni.com]
Sent: Sunday, June 07, 2009 7:08 PM
To: general at openid.net
Subject: [OpenID] blogspot and google as OPs; synonyms

ok im officially confused.

do something obvious peter, like login to gmail. Great! It works. Gmail/Google is also an OP, doing directed id. It works, Ive found when talking to plaxo.

peter happens to wander to blogspot.com. Without my involvement, Im logged in to my blogspot account. Some kind of auto-SSO between google and blogspot has happened, Ill assume. Lets assume its proprietary, and not openid.


blogspot is an OP, and tells me to use http://openid2.blogspot.com/ as my openid. So I do.

Plaxo accepts that openid, and no login experience at the OP is provided; ill assume my google credentials are being applied somehow at blogspot.com, possibly leeraging a "google accounts" session. Any, blogspot releases an assertion between blogspot.com and plaxo.com. Im not sure whether sreg is used, as if google profile AX alues are applied, or blogspot profile values are applied.

Earlier, plaxo accepted the Google OP too - and bound it to my plaxo account.

Do I now have two openids provisioned by one OP (operated as different domain names)?
Do I now have two openids provisioned by two OPs?

are the openid's synonyms? Are their lifecycles synced? i.e. destruction of one leads to destruction of the other?

If I unbind one from plaxo, is the protocol supposed to unbind the other too (since plaxo may be supposed to know that they are synonyms)?

are these the kind of problems that XRI was supposed to solve? - so RPs could use the metadata to act "intelligently" when faced with openid synonyms?

Is the idea that - should blogspot be be sold off and become unconnected with Google Accounts, my blogspot openid may one day no longer be a synonym, and plaxo would then know no longer to unbind me from the gmail openid (merely because I opt to unbind my plaxo account from blogspot)?





_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list