[OpenID] Summarizing my grouse with XRD

Thu Oct 22 15:05:31 UTC 2009

Tiptoeing into this thread with trepidation... It's true that when any  
spec has options in it ("zero or one"), it will need to be profiled  
either implicitly (best practices in various communities) or, ideally,  
explicitly (a spec that references the XRD spec has to state which  
options it chooses) in order to get interop. In this respect, XRD can  
be considered a framework spec -- but so is every spec that has any  
options in it at all. That's probably close to 100% of specs. :-)

It seems amply demonstrated in this thread that there are use cases  
where an absent <Subject> is useful, but it also seems that people  
should think hard about using that option because of the potential  
security implications, and perhaps it should be used far less often  
than the alternative. This option therefore seems tailor-made for the  
RFC 2119 term-of-art "SHOULD"/"RECOMMENDED":

http://www.ietf.org/rfc/rfc2119.txt
3. SHOULD   This word, or the adjective "RECOMMENDED", mean that there
    may exist valid reasons in particular circumstances to ignore a
    particular item, but the full implications must be understood and
    carefully weighed before choosing a different course.

I can't seem to find any such guidance in the current draft, so maybe  
it's warranted to consider adding it.

	Eve

On 22 Oct 2009, at 2:08 AM, Santosh Rajan wrote:

> 100% of the people interested in XRD's at the moment are from the  
> identity community. I am not aware of any other community showing  
> interest in XRD at the moment. What worries me is that people from  
> the identity community are rooting for XRD's with 0 or 1 Subject,  
> instead of requiring a Subject.
>
> Also it would make sense to enforce the <Subject> on to the 1% who  
> would not require it, rather than leave the rest of the 99% to their  
> own interpretation of what you mean by 0 or 1 Subject. You have  
> already seen on this thread talk about the first party (originator)  
> not providing a Subject, and the 2nd or 3rd party having to insert  
> the Subject if required by themselves.
>
> After all the <Subject> of an XRD is the most important Element of  
> an XRD. It is amazing that you don't see it that way, and are  
> willing to leave it in an ambiguous state and subject to  
> interpretation. If anything can be a recipe for incompatibility  
> between future identity protocols, then this is it.
>
> So if you are not going to do something about it then somebody else  
> will have to add a new layer to XRD.
>
> On Thu, Oct 22, 2009 at 12:12 PM, Drummond Reed <drummond.reed at cordance.net 
> > wrote:
> Santosh,
>
> IMHO it's not worth all this worry about Subject being optional or  
> not. If 99% of XRDs need Subject because some protocol that will use  
> the XRD requires a Subject, then only 1% of XRDs will not have a  
> Subject,
>
> And those 1% will probably be for very clear edge cases uses of XRD  
> for a specific job that doesn't care whether the XRD has a Subject.
>
> All the XRI TC did was recognize that XRD would be useful in that  
> last 1%.
>
> Any protocol that uses XRD for discovery, such as OpenID, is free to  
> specify that Subject is mandatory. If so, anyone who tries to use an  
> XRD without a Subject for OpenID discovery will find it won't work,  
> and will need to add the Subject.
>
> Done (as is, I hope, this thread).
>
> =Drummond
>
> On Wed, Oct 21, 2009 at 8:42 PM, Santosh Rajan <santrajan at gmail.com>  
> wrote:
> So it is now clear to me that identity protocols cannot use the XRD  
> specification "as is". There has to be a new "Identity Resource  
> Descriptor" specification sitting in between XRD and all identity  
> protocols that draw from XRD.
>
> I will explain the problem with an hypothetical example. Lets say  
> webfinger were to specify that the <Subject> of the XRD is not  
> required. And a future OpenID spec mandates the use of <Subject>,  
> because the OpenID folks felt that XRD with no Subject was a  
> security risk. The future OpenID Spec will not be able to use the  
> webfinger protocol (which according to current thinking it may want  
> to).
>
> In any case an "Identity Resource Descriptor", without a Subject to  
> describe it, is entirely meaningless to me. So a new identity Layer  
> for XRD is called for that mandates the use of <Subject> in all  
> Identity Resource Descriptors. (IRD's).
>
>
> On Thu, Oct 22, 2009 at 8:46 AM, John Bradley <ve7jtb at ve7jtb.com>  
> wrote:
> I suppose if we were starting fresh we could have called it RDML.
>
> I don't know that there is a meaningful distinction between a  
> document format like  OpenDocument and meta-markup language like  
> SAML.   Technically they are the same.
>
> The XRI-TC will also be producing a XRI 3.0 spec that will use this  
> updated XRD document specification.
>
> Webfinger and others may also produce processing specifications for  
> XRD or profiles of XRD.
>
> XRD is NOT an identifier.
>
> XRDS as currently used in openID discovery stands for eXtesable  
> Resource Descriptor  Sequence.
>
> Yadis never made any use of the Sequence feature so we made it  
> optional.
>
> Hense the main document format spec is now called XRD and not XRDS.
>
> I know people are planning on using it with a multitude of different  
> identifiers including email addresses.
>
> It is still XML and the document is a meta-data descriptor not an  
> identifier.
>
> John B.
>
> On 2009-10-21, at 11:13 PM, Santosh Rajan wrote:
>
>> In other words now you are saying that XRD is another markup  
>> language like HTML and SAML. In which case you should be calling it  
>> "XRML" for Extensible Resource Markup Language.
>>
>> So what started as a "Descriptor" has morphed into a "Markup  
>> Language".
>>
>> So this gives scope for someone else to write the "REAL" Extensible  
>> Resource Descriptor Specification on top of XRML.
>>
>>
>> On Thu, Oct 22, 2009 at 2:24 AM, John Bradley <ve7jtb at ve7jtb.com>  
>> wrote:
>> XRD is a XML document spec.
>>
>>
>> On 2009-10-21, at 5:21 PM, John Kemp wrote:
>>
>> John Bradley wrote:
>> It means that some protocol that is using XRD is defining the  
>> subject via some external mechanism.
>>
>> So the XRD spec. is a template spec. meant to be simply  
>> incorporated by reference into other specs. I guess?
>>
>> Like other XML specs eg SAML 2.0 it can be used multiple  
>> specifications that process XML documents.
>>
>> External specs can profile the XRD spec.
>>
>>
>> In the HTTP protocol case there may be an implicit subject based on  
>> the identifier that is being resolved.
>>
>> As mentioned earlier, if the _subject_ of the XRD is identified  
>> (implicitly) by the same URI used to retrieve the XRD itself, then  
>> that seems rather circular.
>>
>> The XML document describes a resource and provides links to  
>> associated resources.
>> A HTML page doesn't need to explicitly say what URI it is retrieved  
>> from in its internal markup.
>>
>> Like with HTML sometimes the subject is defined by the transport or  
>> other external method.
>>
>> Thanks
>> John B.
>>
>> All normal http caching would apply in the http: case.
>>
>> Sure, I'm not quibbling with caching...
>>
>> In the IMI/SAML case we have discussed pushing a XRD as a assertion/ 
>> claim.
>> In that case the subject may be the same as the saml:NameID in the  
>> containing saml:Assertion.
>> It could perhaps be argued that putting a xrd:Subject and signature  
>> inside a signed saml:Asertion is un-neccicary.
>> Suffice to say it is up to the protocol using XRD to decide what to  
>> make of a XRD without a xrd:Subject.
>>
>> OK, I think I've understood ;)
>>
>> Cheers,
>>
>> - johnk
>>
>> John B.
>> On 2009-10-21, at 3:09 PM, John Kemp wrote:
>> John Bradley wrote:
>> Yes a XRD can be used for identity.  In that case it should be a  
>> signed XRD (with Subject)
>> However a XRD can be used to describe any resource (URI).
>>
>> What does it mean then (in XRD terms) if an XRD doesn't identify  
>> the resource it describes (ie. it doesn't have a subject)?
>>
>> - johnk
>>
>>
>>
>>
>>
>> -- 
>> http://hi.im/santosh
>>
>>
>
>
>
>
> -- 
> http://hi.im/santosh
>
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
>
>
>
> -- 
> http://hi.im/santosh
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

Eve Maler
eve at xmlgrrl.com
http://www.xmlgrrl.com/blog

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091022/fdd85809/attachment-0001.htm>