[OpenID] Summarizing my grouse with XRD

Santosh Rajan santrajan at gmail.com
Wed Oct 21 17:37:23 UTC 2009 

Robots.txt's are unique to a specific resource. The scope of XRD's is larger
than that. XRD's are not unique to individuals when used as indentities.
Using a <Subject> is the only way you can differentiate XRD's belonging to
the same individual or resource. Thats why i said we are comparing apples
and oranges.

On Wed, Oct 21, 2009 at 10:24 PM, Ben Laurie <benl at google.com> wrote:

> On Wed, Oct 21, 2009 at 5:07 PM, Santosh Rajan <santrajan at gmail.com>
> wrote:
> > Comparing robots.txt with an XRD is like comparing "apples with oranges".
> > Can you do better than that? Cacheing robots.txt is not the same as
> cacheing
> > an XRD. I will explain.
> > If my browser wants to cache all my XRD's. This is a real possibility. I
> may
> > have XRD's at Google, Yahoo, Microsoft and "my own" host. The only way
> you
> > can differentiate between all these XRD's is if the XRD;'s have a
> <Subject>.
>
> If we were defining robots.txt today, we might consider doing it as an
> XRD. So, it seems to me that the comparison is entirely fair.
>
> >
> > On Wed, Oct 21, 2009 at 9:28 PM, Breno de Medeiros <breno at google.com>
> wrote:
> >>
> >> On Wed, Oct 21, 2009 at 8:47 AM, Santosh Rajan <santrajan at gmail.com>
> >> wrote:
> >> > This is further to my post "Open Challenge to webfinger, XRD". The
> post
> >> > has
> >> > grown in all directions. So I would like to put my arguments in a
> >> > nutshell.
> >> >
> >> > The idea of an XRD without a Subject is unacceptable for the following
> >> > reasons.
> >> > 1) XRD without <Subject> is a security risk. If nothing, it makes life
> >> > easier for the "Man in the middle attacker".
> >>
> >> Not necessarily all applications are security sensitive. Think about
> >> robots.txt. Does it have a Subject? No. Does it introduce security
> >> vulnerabilities? No. Is it metadata about something? Yes.
> >>
> >> > 2) Cacheing of XRD's is thrown out of the window. You can't cache
> XRD's
> >> > without a <Subject>. I firmly believe that Cacheing of XRD's will be a
> >> > "BIG
> >> > THING". Applications "IN THE KNOW OF XRD's" will deifinitely like to
> >> > cache
> >> > XRD's. It will definitely speed up the discovery process.
> >>
> >> No. Lack of a subject does not prevent anyone from caching robots.txt
> >> and will not prevent anyone from caching XRDs. Indeed, caching XRD
> >> works completely independent of the Subject. For instance, if  a
> >> client follows a sequence of cacheable redirects and gets an XRD
> >> document, it should be able to retrieve the XRD from cache next time
> >> it discovers the same resource (regardless of whether the resource is
> >> also the Subject of the XRD, an Alias listed in the XRD or if the XRD
> >> has no Subject).
> >>
> >> > 3) I am seeing the real possibility that applications will be
> developed
> >> > where users can "save" their XRD's locally. Further, users may be able
> >> > to to
> >> > upload their XRD's to sites that require it. All this will require a
> >> > <Subject>.
> >>
> >> No, it doesn't. See robots.txt
> >>
> >>
> >>
> >> --
> >> --Breno
> >
> >
> >
> > --
> > http://hi.im/santosh
> >
> >
> >
> > _______________________________________________
> > general mailing list
> > general at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-general
> >
> >
>



-- 
http://hi.im/santosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091021/48916f00/attachment.htm>

More information about the general mailing list