[OpenID] Summarizing my grouse with XRD

Wed Oct 21 15:47:58 UTC 2009

This is further to my post "Open Challenge to webfinger, XRD". The post has
grown in all directions. So I would like to put my arguments in a nutshell.

The idea of an XRD without a Subject is unacceptable for the following
reasons.
1) XRD without <Subject> is a security risk. If nothing, it makes life
easier for the "Man in the middle attacker".
2) Cacheing of XRD's is thrown out of the window. You can't cache XRD's
without a <Subject>. I firmly believe that Cacheing of XRD's will be a "BIG
THING". Applications "IN THE KNOW OF XRD's" will deifinitely like to cache
XRD's. It will definitely speed up the discovery process.
3) I am seeing the real possibility that applications will be developed
where users can "save" their XRD's locally. Further, users may be able to to
upload their XRD's to sites that require it. All this will require a
<Subject>.
4) I "SUSPECT" XRD's without <Subject> plays into the interest's of large
organizations. XRD"s without <Subject> will keep us dependent on the large
organizations. Because XRD"s without <Subject> are transient and cannot be
"Saved".

Now if we conclude from the four points above that the <Subject> of the XRD
MUST be mandatory. The followimg will follow.
1) Host-meta MUST have a <Subject> Element.
2) The idea that the host-meta XRD must be different from the resource XRD
pointed to with the same domain, is a "KLUTZ" being enforced on us by the
large organizations, who would like to have XRD's without <Subject>. I have
explained my argument against this in answer to John Bradley and John Kemp
which I will copy and paste here.

>>>>>>> Now this is exactly the point I am making, that the personal XRD and
host meta are the same in the case a domain name also describes a personal
resource. In the case of "thread-safe.net" your personal XRD and the host
meta are the same. There is no contradiction here. It is only the context in
which the resource is looked for that makes a difference.
So if you typed in "thread-safe.net" as your OpenID, the application will
simply treat the host meta as your personal XRD. On the other hand if you
typed injohn at ...<http://www.nabble.com/user/SendEmail.jtp?type=post&post=25967723&i=0>
 or thread-safe.net/john, the application will treat the XRD as host meta
and look for a URITemplate with Rel="describedby" +
MediaType="application/xrd_xml".

The Rel values for your Personal Links and "general" resource Links will not
be that same. There will be no overlap or contradictions here. This way we
keep the whole concept clean and simple.
<<<<<<

>>>>>>> The application looking for a resource already knows wether it is
looking for an "information resource" or "non information resource". The
application already knows what it is looking for in an XRD. The idea of
trying to differentiate this XRD is moot under the circumstances. Unless of
cource you can show a use case where an application does NOT know what it is
looking for in an XRD.
<<<<<<<<<

Regarding the fact that I have suggested the idiocy of XRI TC in the earlier
thread. I want to make a clarification on this. By no means am I suggesting
that members of the XRI TC individually are idiots. On the other hand I
consider them "brilliant individuals" alone. Unfortunately the way the world
works, brilliant individuals can collectively come up with "IDIOTIC"
conclusions. And this is not only true of the XRI TC but any group of people
coming together worldwide. The phrase "The Camel is a Horse designed by a
committee" is very appropriate here.

I have a third grouse with XRD about "delegation". But I will leave it for
another post.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091021/d2f1c2a6/attachment-0001.htm>