[OpenID] metadata/annotations in the primary key
Peter Williams
pwilliams at rapattoni.com
Thu Jun 25 01:39:37 UTC 2009
The singular most important property of openid auth for us is the portability benefit. Thus, only openid delegation flows are of ANY interest.
there are always 2 XRDs involved in a protocol run, for me. If this assumption is wrong, I'm still seriously struggling :-(
Peter.
-----------
One XRD is maintained by Yahoo, and another XRD is hanging off my blog.com site. Yahoo writes and serves one; I write and serve the other.
My blog.com site landing page has X-XRDS... metadata tags, that points to my XRD#1, hosted at somewhereelse.com.
At plaxo, I type my blog site (Vanity) URL as openid. It eventually redirects to a final URL under the domain of the blog provider.
My XRD file from the X-XRDS... metadata tag is resolved, and its localid (in the yahoo SEP element) happens to be the OP identifier of Yahoo.
Access#1 (to an XRD) was thus to a file that I wrote, and this drives values in authnReq. SHOULD/MUST the localid from this XRD#1 populate openid.identifier in the AuthnReq?
Yahoo sends back an assertion, having performed the required directed id flow. The asserted identifier in the Yahoo assertion is never the same as the final URL of my blog site (whose final url is currently stored in RP state). Thus, Bufu rule says that the RP detecting this mismatch MUST access and use a second XRD#2
Access#2 (to an XRD#2) is thus to the Yahoo-maintained XRD#2, resolved by following the identifier claim from the assertion.
"To perform Bufu rule, RP looks at localid from OP-maintained XRD#2 access#2 and compares it (as given) to the identity claim (as given) from the earlier assertion, looking for a "match"."
Is that correct? Or should it be
"To perform Bufu rule, RP looks at localid (as given) from OP-maintained XRD#2 access#2 and compares it to the localid (as given) from XRD#1 acess#1, looking for a "match"."
if there is a "match", the primary key at the RP should be the blog site URL, as redirected to a final URL.
Is that correct? Or should it be
if there is a "match", the primary key at the RP should be the identity field from the assertion
the process of "matching" a localid to something requires pre-processing the localid value to a "normalized" form. if a localid has value xri://!!1000*($-Rapattoni%20Corp.)!5678*($-Peter%20Williams), the $- values are NOT significant when "matching". if something is also an XRI, it must be similarly normalized.
is this last part on xri matching correct?
if the primary key is an XRI or HXRI, the primary key value is "as given" on the wire. It is not normalized by the RP, that is, which would make $- annotations non-significant for erquivalence.
is this primary key rule correct?
Thanks!
________________________________
From: Andrew Arnott [andrewarnott at gmail.com]
Sent: Wednesday, June 24, 2009 4:52 PM
To: Peter Williams
Cc: general at openid.net
Subject: Re: [OpenID] metadata/annotations in the primary key
On Wed, Jun 24, 2009 at 4:24 PM, Peter Williams <pwilliams at rapattoni.com<mailto:pwilliams at rapattoni.com>> wrote:
we typically say that a good RP would use the validated localid as its primary key, especially in the delegation flows.
If I understand you correctly, all I have to do is set up a claimed identifier that points to my own OP endpoint, but uses your localid value. Then I can spoof your identity at a 'good RP'. Is that right?
Claimed Identifiers are supposed to be "primary keys" -- not local ids! Nowhere in the OpenID protocol does the user prove he controls an OP local identifier. They only prove they control the Claimed Identifier. Therefore, RPs must only key off of the claimed ID.
More information about the general
mailing list