[OpenID] Summarizing my grouse with XRD
Santosh Rajan
santrajan at gmail.com
Wed Oct 21 16:07:03 UTC 2009
Comparing robots.txt with an XRD is like comparing "apples with oranges".
Can you do better than that? Cacheing robots.txt is not the same as cacheing
an XRD. I will explain.If my browser wants to cache all my XRD's. This is a
real possibility. I may have XRD's at Google, Yahoo, Microsoft and "my own"
host. The only way you can differentiate between all these XRD's is if the
XRD;'s have a <Subject>.
On Wed, Oct 21, 2009 at 9:28 PM, Breno de Medeiros <breno at google.com> wrote:
> On Wed, Oct 21, 2009 at 8:47 AM, Santosh Rajan <santrajan at gmail.com>
> wrote:
> > This is further to my post "Open Challenge to webfinger, XRD". The post
> has
> > grown in all directions. So I would like to put my arguments in a
> nutshell.
> >
> > The idea of an XRD without a Subject is unacceptable for the following
> > reasons.
> > 1) XRD without <Subject> is a security risk. If nothing, it makes life
> > easier for the "Man in the middle attacker".
>
> Not necessarily all applications are security sensitive. Think about
> robots.txt. Does it have a Subject? No. Does it introduce security
> vulnerabilities? No. Is it metadata about something? Yes.
>
> > 2) Cacheing of XRD's is thrown out of the window. You can't cache XRD's
> > without a <Subject>. I firmly believe that Cacheing of XRD's will be a
> "BIG
> > THING". Applications "IN THE KNOW OF XRD's" will deifinitely like to
> cache
> > XRD's. It will definitely speed up the discovery process.
>
> No. Lack of a subject does not prevent anyone from caching robots.txt
> and will not prevent anyone from caching XRDs. Indeed, caching XRD
> works completely independent of the Subject. For instance, if a
> client follows a sequence of cacheable redirects and gets an XRD
> document, it should be able to retrieve the XRD from cache next time
> it discovers the same resource (regardless of whether the resource is
> also the Subject of the XRD, an Alias listed in the XRD or if the XRD
> has no Subject).
>
> > 3) I am seeing the real possibility that applications will be developed
> > where users can "save" their XRD's locally. Further, users may be able to
> to
> > upload their XRD's to sites that require it. All this will require a
> > <Subject>.
>
> No, it doesn't. See robots.txt
>
>
>
> --
> --Breno
>
--
http://hi.im/santosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091021/c865bc4b/attachment.htm>
More information about the general
mailing list