[OpenID] Summarizing my grouse with XRD

Santosh Rajan santrajan at gmail.com
Wed Oct 21 18:44:59 UTC 2009 

XRD's used as identity, signed with a subject is a GOOD thing.However if you
allow XRD's without subject, companies mayl choose to use unsigned XRD's as
identity, without subject, and use transport layer security, which is a BAD
thing.


On Wed, Oct 21, 2009 at 11:18 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> Yes a XRD can be used for identity.  In that case it should be a signed XRD
> (with Subject)
> However a XRD can be used to describe any resource (URI).
>
> I may have a XRD that describes my site in the same way a robots.txt might.
>
> It might be used to enable Identity in the browser by allowing browser
> plugins to discover the sites policy (see Flock and other IdIB projects)
>
> It may be more practical for some sites to point to a single document that
> is authoritative for all of the URI on there site rather than forcing them
> to create individual XRD for each URI where it may not be necessary.
>
> XRD supports both models.   I know you want us to restrict implementers to
> a single model.
>
> That is not the role of the XRI-TC if we don't support the use case people
> will crate there own hacks to get around the limitation.
>
> I would oppose any vote in the TC to always require a Subject element in
> the XSD.
>
> John B.
>
> On 2009-10-21, at 2:37 PM, Santosh Rajan wrote:
>
> Robots.txt's are unique to a specific resource. The scope of XRD's is
> larger than that. XRD's are not unique to individuals when used as
> indentities. Using a <Subject> is the only way you can differentiate XRD's
> belonging to the same individual or resource. Thats why i said we are
> comparing apples and oranges.
>
> On Wed, Oct 21, 2009 at 10:24 PM, Ben Laurie <benl at google.com> wrote:
>
>> On Wed, Oct 21, 2009 at 5:07 PM, Santosh Rajan <santrajan at gmail.com>
>> wrote:
>> > Comparing robots.txt with an XRD is like comparing "apples with
>> oranges".
>> > Can you do better than that? Cacheing robots.txt is not the same as
>> cacheing
>> > an XRD. I will explain.
>> > If my browser wants to cache all my XRD's. This is a real possibility. I
>> may
>> > have XRD's at Google, Yahoo, Microsoft and "my own" host. The only way
>> you
>> > can differentiate between all these XRD's is if the XRD;'s have a
>> <Subject>.
>>
>> If we were defining robots.txt today, we might consider doing it as an
>> XRD. So, it seems to me that the comparison is entirely fair.
>>
>> >
>> > On Wed, Oct 21, 2009 at 9:28 PM, Breno de Medeiros <breno at google.com>
>> wrote:
>> >>
>> >> On Wed, Oct 21, 2009 at 8:47 AM, Santosh Rajan <santrajan at gmail.com>
>> >> wrote:
>> >> > This is further to my post "Open Challenge to webfinger, XRD". The
>> post
>> >> > has
>> >> > grown in all directions. So I would like to put my arguments in a
>> >> > nutshell.
>> >> >
>> >> > The idea of an XRD without a Subject is unacceptable for the
>> following
>> >> > reasons.
>> >> > 1) XRD without <Subject> is a security risk. If nothing, it makes
>> life
>> >> > easier for the "Man in the middle attacker".
>> >>
>> >> Not necessarily all applications are security sensitive. Think about
>> >> robots.txt. Does it have a Subject? No. Does it introduce security
>> >> vulnerabilities? No. Is it metadata about something? Yes.
>> >>
>> >> > 2) Cacheing of XRD's is thrown out of the window. You can't cache
>> XRD's
>> >> > without a <Subject>. I firmly believe that Cacheing of XRD's will be
>> a
>> >> > "BIG
>> >> > THING". Applications "IN THE KNOW OF XRD's" will deifinitely like to
>> >> > cache
>> >> > XRD's. It will definitely speed up the discovery process.
>> >>
>> >> No. Lack of a subject does not prevent anyone from caching robots.txt
>> >> and will not prevent anyone from caching XRDs. Indeed, caching XRD
>> >> works completely independent of the Subject. For instance, if  a
>> >> client follows a sequence of cacheable redirects and gets an XRD
>> >> document, it should be able to retrieve the XRD from cache next time
>> >> it discovers the same resource (regardless of whether the resource is
>> >> also the Subject of the XRD, an Alias listed in the XRD or if the XRD
>> >> has no Subject).
>> >>
>> >> > 3) I am seeing the real possibility that applications will be
>> developed
>> >> > where users can "save" their XRD's locally. Further, users may be
>> able
>> >> > to to
>> >> > upload their XRD's to sites that require it. All this will require a
>> >> > <Subject>.
>> >>
>> >> No, it doesn't. See robots.txt
>> >>
>> >>
>> >>
>> >> --
>> >> --Breno
>> >
>> >
>> >
>> > --
>> > http://hi.im/santosh
>> >
>> >
>> >
>> > _______________________________________________
>> > general mailing list
>> > general at lists.openid.net
>> > http://lists.openid.net/mailman/listinfo/openid-general
>> >
>> >
>>
>
>
>
> --
> http://hi.im/santosh
>
>
>  _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
>


-- 
http://hi.im/santosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091022/ce65d7df/attachment.htm>

More information about the general mailing list