[OpenID] Summarizing my grouse with XRD
Breno de Medeiros
breno at google.com
Wed Oct 21 15:58:47 UTC 2009
On Wed, Oct 21, 2009 at 8:47 AM, Santosh Rajan <santrajan at gmail.com> wrote:
> This is further to my post "Open Challenge to webfinger, XRD". The post has
> grown in all directions. So I would like to put my arguments in a nutshell.
>
> The idea of an XRD without a Subject is unacceptable for the following
> reasons.
> 1) XRD without <Subject> is a security risk. If nothing, it makes life
> easier for the "Man in the middle attacker".
Not necessarily all applications are security sensitive. Think about
robots.txt. Does it have a Subject? No. Does it introduce security
vulnerabilities? No. Is it metadata about something? Yes.
> 2) Cacheing of XRD's is thrown out of the window. You can't cache XRD's
> without a <Subject>. I firmly believe that Cacheing of XRD's will be a "BIG
> THING". Applications "IN THE KNOW OF XRD's" will deifinitely like to cache
> XRD's. It will definitely speed up the discovery process.
No. Lack of a subject does not prevent anyone from caching robots.txt
and will not prevent anyone from caching XRDs. Indeed, caching XRD
works completely independent of the Subject. For instance, if a
client follows a sequence of cacheable redirects and gets an XRD
document, it should be able to retrieve the XRD from cache next time
it discovers the same resource (regardless of whether the resource is
also the Subject of the XRD, an Alias listed in the XRD or if the XRD
has no Subject).
> 3) I am seeing the real possibility that applications will be developed
> where users can "save" their XRD's locally. Further, users may be able to to
> upload their XRD's to sites that require it. All this will require a
> <Subject>.
No, it doesn't. See robots.txt
--
--Breno
More information about the general
mailing list