[OpenID] Open Challenge to webfinger and XRD
Santosh Rajan
santrajan at gmail.com
Tue Oct 20 14:17:13 UTC 2009
So now I want to post my grouse no (2) with XRD. The idea that the
<Subject> of an XRD can be implicit or "0" is a BAD BAD BAD Idea!! Sorry
Dirk for the Caps and exclamations. I will list out the reasons.
1) XRD without <Subject> is a security risk. If nothing, it makes life
easier for the "Man in the middle attacker".
2) Cacheing of XRD's is thrown out of the window. You can't cache XRD's
without a <Subject>. I firmly believe that Cacheing of XRD's will be a "BIG
THING". Applications "IN THE KNOW OF XRD's" will deifinitely like to cache
XRD's. It will definitely speed up the discovery process.
3) The whole idea of millions/billions XRD's flying around the WWW like
"headless chicken" (without subject) is giving me nightmares.
The <Subject> MUST be made mandatory for every XRD.
On Tue, Oct 20, 2009 at 2:26 AM, Breno de Medeiros <breno at google.com> wrote:
> The subject of an XRD is implicitly the URI of the resource that was
> discovered and resulted in this XRD being returned as its metadata. So
> in general Subject is not needed.
>
> When the same metadata applies to multiple URIs then one can be the
> Subject and others can be Aliases.
>
> Another use for Subject is for the XRD signature. A sound trust model
> needs to validate the binding of subject and metadata in the
> signature, so Subject should always be present in signed documents,
> unless the application defines other means to bind the metadata and
> resource in a verifiable way.
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
>
--
http://hi.im/santosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091020/69155e5a/attachment.htm>
More information about the general
mailing list