[OpenID] Summarizing my grouse with XRD
Ben Laurie
benl at google.com
Wed Oct 21 16:54:28 UTC 2009
On Wed, Oct 21, 2009 at 5:07 PM, Santosh Rajan <santrajan at gmail.com> wrote:
> Comparing robots.txt with an XRD is like comparing "apples with oranges".
> Can you do better than that? Cacheing robots.txt is not the same as cacheing
> an XRD. I will explain.
> If my browser wants to cache all my XRD's. This is a real possibility. I may
> have XRD's at Google, Yahoo, Microsoft and "my own" host. The only way you
> can differentiate between all these XRD's is if the XRD;'s have a <Subject>.
If we were defining robots.txt today, we might consider doing it as an
XRD. So, it seems to me that the comparison is entirely fair.
>
> On Wed, Oct 21, 2009 at 9:28 PM, Breno de Medeiros <breno at google.com> wrote:
>>
>> On Wed, Oct 21, 2009 at 8:47 AM, Santosh Rajan <santrajan at gmail.com>
>> wrote:
>> > This is further to my post "Open Challenge to webfinger, XRD". The post
>> > has
>> > grown in all directions. So I would like to put my arguments in a
>> > nutshell.
>> >
>> > The idea of an XRD without a Subject is unacceptable for the following
>> > reasons.
>> > 1) XRD without <Subject> is a security risk. If nothing, it makes life
>> > easier for the "Man in the middle attacker".
>>
>> Not necessarily all applications are security sensitive. Think about
>> robots.txt. Does it have a Subject? No. Does it introduce security
>> vulnerabilities? No. Is it metadata about something? Yes.
>>
>> > 2) Cacheing of XRD's is thrown out of the window. You can't cache XRD's
>> > without a <Subject>. I firmly believe that Cacheing of XRD's will be a
>> > "BIG
>> > THING". Applications "IN THE KNOW OF XRD's" will deifinitely like to
>> > cache
>> > XRD's. It will definitely speed up the discovery process.
>>
>> No. Lack of a subject does not prevent anyone from caching robots.txt
>> and will not prevent anyone from caching XRDs. Indeed, caching XRD
>> works completely independent of the Subject. For instance, if a
>> client follows a sequence of cacheable redirects and gets an XRD
>> document, it should be able to retrieve the XRD from cache next time
>> it discovers the same resource (regardless of whether the resource is
>> also the Subject of the XRD, an Alias listed in the XRD or if the XRD
>> has no Subject).
>>
>> > 3) I am seeing the real possibility that applications will be developed
>> > where users can "save" their XRD's locally. Further, users may be able
>> > to to
>> > upload their XRD's to sites that require it. All this will require a
>> > <Subject>.
>>
>> No, it doesn't. See robots.txt
>>
>>
>>
>> --
>> --Breno
>
>
>
> --
> http://hi.im/santosh
>
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
More information about the general
mailing list