[OpenID] Summarizing my grouse with XRD

Thu Oct 22 06:42:28 UTC 2009

Santosh,

IMHO it's not worth all this worry about Subject being optional or not. If
99% of XRDs need Subject because some protocol that will use the XRD
requires a Subject, then only 1% of XRDs will not have a Subject,

And those 1% will probably be for very clear edge cases uses of XRD for a
specific job that doesn't care whether the XRD has a Subject.

All the XRI TC did was recognize that XRD would be useful in that last 1%.

Any protocol that uses XRD for discovery, such as OpenID, is free to specify
that Subject is mandatory. If so, anyone who tries to use an XRD without a
Subject for OpenID discovery will find it won't work, and will need to add
the Subject.

Done (as is, I hope, this thread).

=Drummond

On Wed, Oct 21, 2009 at 8:42 PM, Santosh Rajan <santrajan at gmail.com> wrote:

> So it is now clear to me that identity protocols cannot use the XRD
> specification "as is". There has to be a new "Identity Resource Descriptor"
> specification sitting in between XRD and all identity protocols that draw
> from XRD.
> I will explain the problem with an hypothetical example. Lets say webfinger
> were to specify that the <Subject> of the XRD is not required. And a future
> OpenID spec mandates the use of <Subject>, because the OpenID folks felt
> that XRD with no Subject was a security risk. The future OpenID Spec will
> not be able to use the webfinger protocol (which according to current
> thinking it may want to).
>
> In any case an "Identity Resource Descriptor", without a Subject to
> describe it, is entirely meaningless to me. So a new identity Layer for XRD
> is called for that mandates the use of <Subject> in all Identity Resource
> Descriptors. (IRD's).
>
>
> On Thu, Oct 22, 2009 at 8:46 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>
>> I suppose if we were starting fresh we could have called it RDML.
>>
>> I don't know that there is a meaningful distinction between a document
>> format like  OpenDocument and meta-markup language like SAML.   Technically
>> they are the same.
>>
>> The XRI-TC will also be producing a XRI 3.0 spec that will use this
>> updated XRD document specification.
>>
>> Webfinger and others may also produce processing specifications for XRD or
>> profiles of XRD.
>>
>> XRD is NOT an identifier.
>>
>> XRDS as currently used in openID discovery stands for eXtesable Resource
>> Descriptor  Sequence.
>>
>> Yadis never made any use of the Sequence feature so we made it optional.
>>
>> Hense the main document format spec is now called XRD and not XRDS.
>>
>> I know people are planning on using it with a multitude of different
>> identifiers including email addresses.
>>
>> It is still XML and the document is a meta-data descriptor not an
>> identifier.
>>
>> John B.
>>
>> On 2009-10-21, at 11:13 PM, Santosh Rajan wrote:
>>
>> In other words now you are saying that XRD is another markup language like
>> HTML and SAML. In which case you should be calling it "XRML" for Extensible
>> Resource Markup Language.
>> So what started as a "Descriptor" has morphed into a "Markup Language".
>>
>> So this gives scope for someone else to write the "REAL" Extensible
>> Resource Descriptor Specification on top of XRML.
>>
>>
>> On Thu, Oct 22, 2009 at 2:24 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>>
>>> XRD is a XML document spec.
>>>
>>> On 2009-10-21, at 5:21 PM, John Kemp wrote:
>>>
>>>  John Bradley wrote:
>>>>
>>>>> It means that some protocol that is using XRD is defining the subject
>>>>> via some external mechanism.
>>>>>
>>>>
>>>> So the XRD spec. is a template spec. meant to be simply incorporated by
>>>> reference into other specs. I guess?
>>>>
>>>>  Like other XML specs eg SAML 2.0 it can be used multiple specifications
>>> that process XML documents.
>>>
>>> External specs can profile the XRD spec.
>>>
>>>  In the HTTP protocol case there may be an implicit subject based on the
>>>>> identifier that is being resolved.
>>>>>
>>>>
>>>> As mentioned earlier, if the _subject_ of the XRD is identified
>>>> (implicitly) by the same URI used to retrieve the XRD itself, then that
>>>> seems rather circular.
>>>>
>>>>  The XML document describes a resource and provides links to associated
>>> resources.
>>> A HTML page doesn't need to explicitly say what URI it is retrieved from
>>> in its internal markup.
>>>
>>> Like with HTML sometimes the subject is defined by the transport or other
>>> external method.
>>>
>>> Thanks
>>> John B.
>>>
>>>  All normal http caching would apply in the http: case.
>>>>>
>>>>
>>>> Sure, I'm not quibbling with caching...
>>>>
>>>>  In the IMI/SAML case we have discussed pushing a XRD as a
>>>>> assertion/claim.
>>>>> In that case the subject may be the same as the saml:NameID in the
>>>>> containing saml:Assertion.
>>>>> It could perhaps be argued that putting a xrd:Subject and signature
>>>>> inside a signed saml:Asertion is un-neccicary.
>>>>> Suffice to say it is up to the protocol using XRD to decide what to
>>>>> make of a XRD without a xrd:Subject.
>>>>>
>>>>
>>>> OK, I think I've understood ;)
>>>>
>>>> Cheers,
>>>>
>>>> - johnk
>>>>
>>>>  John B.
>>>>> On 2009-10-21, at 3:09 PM, John Kemp wrote:
>>>>>
>>>>>> John Bradley wrote:
>>>>>>
>>>>>>> Yes a XRD can be used for identity.  In that case it should be a
>>>>>>> signed XRD (with Subject)
>>>>>>> However a XRD can be used to describe any resource (URI).
>>>>>>>
>>>>>>
>>>>>> What does it mean then (in XRD terms) if an XRD doesn't identify the
>>>>>> resource it describes (ie. it doesn't have a subject)?
>>>>>>
>>>>>> - johnk
>>>>>>
>>>>>
>>>>
>>>
>>
>>
>> --
>> http://hi.im/santosh
>>
>>
>>
>>
>
>
> --
> http://hi.im/santosh
>
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091021/a086ec4f/attachment.htm>