[OpenID] Open Challenge to webfinger and XRD

John Bradley ve7jtb at ve7jtb.com
Tue Oct 20 14:40:22 UTC 2009 

For the signed XRD trust model the Subject must be explicit.

I am hoping that for openID we opt to use an appropriate trust model  
that involves signatures.

The XRD without a subject is essentially the status quo.

Without signed XRD you have to trust entirely in session security,   
and at that point if someone can hijack the session they can easily  
fake the Subject.

While I happen to agree that for the most part XRD without subjects  
(like all of the Yadis XRDS documents currently used) are not ideal  
from a security point of view,  however it is not up to the XRD spec  
to preclude them.

I can only hope to see the openID community adopt signed XRD as a more  
secure option to what we currently have with Yadis.

John B.


On 2009-10-20, at 11:17 AM, Santosh Rajan wrote:

> So now I want to post my grouse no (2) with XRD.  The idea that the  
> <Subject> of an XRD can be implicit or "0" is a BAD BAD BAD Idea!!  
> Sorry Dirk for the Caps and exclamations. I will list out the reasons.
>
> 1) XRD without <Subject> is a security risk. If nothing, it makes  
> life easier for the "Man in the middle attacker".
> 2) Cacheing of XRD's is thrown out of the window. You can't cache  
> XRD's without a <Subject>. I firmly believe that Cacheing of XRD's  
> will be a "BIG THING". Applications "IN THE KNOW OF XRD's" will  
> deifinitely like to cache XRD's. It will definitely speed up the  
> discovery process.
> 3) The whole idea of millions/billions XRD's flying around the WWW  
> like "headless chicken" (without subject) is giving me nightmares.
>
> The <Subject> MUST be made mandatory for every XRD.
>
> On Tue, Oct 20, 2009 at 2:26 AM, Breno de Medeiros  
> <breno at google.com> wrote:
> The subject of an XRD is implicitly the URI of the resource that was
> discovered and resulted in this XRD being returned as its metadata. So
> in general Subject is not needed.
>
> When the same metadata applies to multiple URIs then one can be the
> Subject and others can be Aliases.
>
> Another use for Subject is for the XRD signature. A sound trust model
> needs to validate the binding of subject and metadata in the
> signature, so Subject should always be present in signed documents,
> unless the application defines other means to bind the metadata and
> resource in a verifiable way.
>
>
> --
> --Breno
>
> +1 (650) 214-1007 desk
> +1 (408) 212-0135 (Grand Central)
> MTV-41-3 : 383-A
> PST (GMT-8) / PDT(GMT-7)
>
>
>
> -- 
> http://hi.im/santosh
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091020/a6447b0a/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2468 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091020/a6447b0a/attachment.bin>

More information about the general mailing list