[OpenID] Summarizing my grouse with XRD

John Bradley ve7jtb at ve7jtb.com
Wed Oct 21 17:48:51 UTC 2009 

Yes a XRD can be used for identity.  In that case it should be a  
signed XRD (with Subject)

However a XRD can be used to describe any resource (URI).

I may have a XRD that describes my site in the same way a robots.txt  
might.

It might be used to enable Identity in the browser by allowing browser  
plugins to discover the sites policy (see Flock and other IdIB projects)

It may be more practical for some sites to point to a single document  
that is authoritative for all of the URI on there site rather than  
forcing them to create individual XRD for each URI where it may not be  
necessary.

XRD supports both models.   I know you want us to restrict  
implementers to a single model.

That is not the role of the XRI-TC if we don't support the use case  
people will crate there own hacks to get around the limitation.

I would oppose any vote in the TC to always require a Subject element  
in the XSD.

John B.

On 2009-10-21, at 2:37 PM, Santosh Rajan wrote:

> Robots.txt's are unique to a specific resource. The scope of XRD's  
> is larger than that. XRD's are not unique to individuals when used  
> as indentities. Using a <Subject> is the only way you can  
> differentiate XRD's belonging to the same individual or resource.  
> Thats why i said we are comparing apples and oranges.
>
> On Wed, Oct 21, 2009 at 10:24 PM, Ben Laurie <benl at google.com> wrote:
> On Wed, Oct 21, 2009 at 5:07 PM, Santosh Rajan <santrajan at gmail.com>  
> wrote:
> > Comparing robots.txt with an XRD is like comparing "apples with  
> oranges".
> > Can you do better than that? Cacheing robots.txt is not the same  
> as cacheing
> > an XRD. I will explain.
> > If my browser wants to cache all my XRD's. This is a real  
> possibility. I may
> > have XRD's at Google, Yahoo, Microsoft and "my own" host. The only  
> way you
> > can differentiate between all these XRD's is if the XRD;'s have a  
> <Subject>.
>
> If we were defining robots.txt today, we might consider doing it as an
> XRD. So, it seems to me that the comparison is entirely fair.
>
> >
> > On Wed, Oct 21, 2009 at 9:28 PM, Breno de Medeiros  
> <breno at google.com> wrote:
> >>
> >> On Wed, Oct 21, 2009 at 8:47 AM, Santosh Rajan  
> <santrajan at gmail.com>
> >> wrote:
> >> > This is further to my post "Open Challenge to webfinger, XRD".  
> The post
> >> > has
> >> > grown in all directions. So I would like to put my arguments in a
> >> > nutshell.
> >> >
> >> > The idea of an XRD without a Subject is unacceptable for the  
> following
> >> > reasons.
> >> > 1) XRD without <Subject> is a security risk. If nothing, it  
> makes life
> >> > easier for the "Man in the middle attacker".
> >>
> >> Not necessarily all applications are security sensitive. Think  
> about
> >> robots.txt. Does it have a Subject? No. Does it introduce security
> >> vulnerabilities? No. Is it metadata about something? Yes.
> >>
> >> > 2) Cacheing of XRD's is thrown out of the window. You can't  
> cache XRD's
> >> > without a <Subject>. I firmly believe that Cacheing of XRD's  
> will be a
> >> > "BIG
> >> > THING". Applications "IN THE KNOW OF XRD's" will deifinitely  
> like to
> >> > cache
> >> > XRD's. It will definitely speed up the discovery process.
> >>
> >> No. Lack of a subject does not prevent anyone from caching  
> robots.txt
> >> and will not prevent anyone from caching XRDs. Indeed, caching XRD
> >> works completely independent of the Subject. For instance, if  a
> >> client follows a sequence of cacheable redirects and gets an XRD
> >> document, it should be able to retrieve the XRD from cache next  
> time
> >> it discovers the same resource (regardless of whether the  
> resource is
> >> also the Subject of the XRD, an Alias listed in the XRD or if the  
> XRD
> >> has no Subject).
> >>
> >> > 3) I am seeing the real possibility that applications will be  
> developed
> >> > where users can "save" their XRD's locally. Further, users may  
> be able
> >> > to to
> >> > upload their XRD's to sites that require it. All this will  
> require a
> >> > <Subject>.
> >>
> >> No, it doesn't. See robots.txt
> >>
> >>
> >>
> >> --
> >> --Breno
> >
> >
> >
> > --
> > http://hi.im/santosh
> >
> >
> >
> > _______________________________________________
> > general mailing list
> > general at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-general
> >
> >
>
>
>
> -- 
> http://hi.im/santosh
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091021/8d5a38a5/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2468 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091021/8d5a38a5/attachment-0001.bin>

More information about the general mailing list