[OpenID] Is a URI Template really required for host-meta?

Santosh Rajan santrajan at gmail.com
Sat Nov 14 08:43:41 UTC 2009 

Thanks, thats more or less what I am trying to figure. Except that this
protocol will be part of the host-meta spec itself and we avoid any extra
round trip. Once the host meta is retrieved, the client can construct
effectively the same uri that you would have otherwise got by expanding the
uri template.

On Sat, Nov 14, 2009 at 1:32 PM, John Panzer <jpanzer at google.com> wrote:

> I think you're proposing a simple protocol to handle mapping from the
> subject to another URI that contains the actual XRD you want.
>
> So for example, as a straw man, you could say "take the URI with rel
> http://ietf.org/service/resolve/xrd, append a query parameter subject=<uri
> escaped value of subject>, and do a GET on the resulting URI.  The response,
> if successful, is a 200 whose body consists of the URI to the actual desired
> XRD document".
>
> The benefit of this would be that you would avoid the need for a
> URITemplate element and client binding of the {uri} variable to the
> subject.
>
> The drawbacks are that you incur the need for an extra HTTP round trip,
> rather than just a client side template expansion, to discover the URI of
> the actual XRD you want; you need to define yet another protocol, albeit a
> small one, to do the retrieval; you need to run another service, albeit a
> trivial one, to do the mappings server side; and you need to answer some
> tricky questions about trust and security (if the resolver is not done over
> SSL and certs checked, this becomes another vector for MITM and DNS
> poisoning attacks).
>
> --
> John Panzer / Google
> jpanzer at google.com / abstractioneer.org / @jpanzer
>
>
>
> On Fri, Nov 13, 2009 at 6:18 PM, Santosh Rajan <santrajan at gmail.com>wrote:
>
>> One of the purposes of the host-meta is to map a given URI to its XRD
>> available on the server. Currently this is done by using a URITemplate.
>> <URITemplate>http://example.com/getxrd?q={uri}<http://example.com/getxrd?q=%7Buri%7D>
>> <URITemplate>
>>
>> Instead can the host-meta define a resolver service on the host, that
>> returns an XRD given the Subject URI? eg. The host-meta can define a service
>> on the server that accepts a GET or POST request with a single parameter
>> passed whose key is "subject", and "value" is the subject URI to be
>> resolved. In this case we only need a URI to the service on the server and
>> can be written like this.
>>
>> <link rel="http://ietf.org/service/resolve/xrd"
>>     type="application/xrd+xml"
>>     href="http://example.com/getxrd"/>
>>
>> (the rel value is just an example)
>>
>> Advantages of this being
>> 1) No need for template and template mapping
>> 2) The idea is consistent with the host-meta being an aggregator of the
>> XRD's available on the host.
>>
>> Any reason this could be a bad idea?
>>
>> --
>> http://hi.im/santosh
>>
>>
>>
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>>
>>
>


-- 
http://hi.im/santosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091114/55c89145/attachment.htm>

More information about the general mailing list