[OpenID] Summarizing my grouse with XRD
John Bradley
ve7jtb at ve7jtb.com
Thu Oct 22 15:40:39 UTC 2009
Thanks Eve,
The CD is coming to public review in the next week.
I am happy to take that feedback to the TC.
Regards
John B.
On 2009-10-22, at 12:05 PM, Eve Maler wrote:
> Tiptoeing into this thread with trepidation... It's true that when
> any spec has options in it ("zero or one"), it will need to be
> profiled either implicitly (best practices in various communities)
> or, ideally, explicitly (a spec that references the XRD spec has to
> state which options it chooses) in order to get interop. In this
> respect, XRD can be considered a framework spec -- but so is every
> spec that has any options in it at all. That's probably close to
> 100% of specs. :-)
>
> It seems amply demonstrated in this thread that there are use cases
> where an absent <Subject> is useful, but it also seems that people
> should think hard about using that option because of the potential
> security implications, and perhaps it should be used far less often
> than the alternative. This option therefore seems tailor-made for
> the RFC 2119 term-of-art "SHOULD"/"RECOMMENDED":
>
> http://www.ietf.org/rfc/rfc2119.txt
> 3. SHOULD This word, or the adjective "RECOMMENDED", mean that there
> may exist valid reasons in particular circumstances to ignore a
> particular item, but the full implications must be understood and
> carefully weighed before choosing a different course.
>
> I can't seem to find any such guidance in the current draft, so
> maybe it's warranted to consider adding it.
>
> Eve
>
> On 22 Oct 2009, at 2:08 AM, Santosh Rajan wrote:
>
>> 100% of the people interested in XRD's at the moment are from the
>> identity community. I am not aware of any other community showing
>> interest in XRD at the moment. What worries me is that people from
>> the identity community are rooting for XRD's with 0 or 1 Subject,
>> instead of requiring a Subject.
>>
>> Also it would make sense to enforce the <Subject> on to the 1% who
>> would not require it, rather than leave the rest of the 99% to
>> their own interpretation of what you mean by 0 or 1 Subject. You
>> have already seen on this thread talk about the first party
>> (originator) not providing a Subject, and the 2nd or 3rd party
>> having to insert the Subject if required by themselves.
>>
>> After all the <Subject> of an XRD is the most important Element of
>> an XRD. It is amazing that you don't see it that way, and are
>> willing to leave it in an ambiguous state and subject to
>> interpretation. If anything can be a recipe for incompatibility
>> between future identity protocols, then this is it.
>>
>> So if you are not going to do something about it then somebody else
>> will have to add a new layer to XRD.
>>
>> On Thu, Oct 22, 2009 at 12:12 PM, Drummond Reed <drummond.reed at cordance.net
>> > wrote:
>> Santosh,
>>
>> IMHO it's not worth all this worry about Subject being optional or
>> not. If 99% of XRDs need Subject because some protocol that will
>> use the XRD requires a Subject, then only 1% of XRDs will not have
>> a Subject,
>>
>> And those 1% will probably be for very clear edge cases uses of XRD
>> for a specific job that doesn't care whether the XRD has a Subject.
>>
>> All the XRI TC did was recognize that XRD would be useful in that
>> last 1%.
>>
>> Any protocol that uses XRD for discovery, such as OpenID, is free
>> to specify that Subject is mandatory. If so, anyone who tries to
>> use an XRD without a Subject for OpenID discovery will find it
>> won't work, and will need to add the Subject.
>>
>> Done (as is, I hope, this thread).
>>
>> =Drummond
>>
>> On Wed, Oct 21, 2009 at 8:42 PM, Santosh Rajan
>> <santrajan at gmail.com> wrote:
>> So it is now clear to me that identity protocols cannot use the XRD
>> specification "as is". There has to be a new "Identity Resource
>> Descriptor" specification sitting in between XRD and all identity
>> protocols that draw from XRD.
>>
>> I will explain the problem with an hypothetical example. Lets say
>> webfinger were to specify that the <Subject> of the XRD is not
>> required. And a future OpenID spec mandates the use of <Subject>,
>> because the OpenID folks felt that XRD with no Subject was a
>> security risk. The future OpenID Spec will not be able to use the
>> webfinger protocol (which according to current thinking it may want
>> to).
>>
>> In any case an "Identity Resource Descriptor", without a Subject to
>> describe it, is entirely meaningless to me. So a new identity Layer
>> for XRD is called for that mandates the use of <Subject> in all
>> Identity Resource Descriptors. (IRD's).
>>
>>
>> On Thu, Oct 22, 2009 at 8:46 AM, John Bradley <ve7jtb at ve7jtb.com>
>> wrote:
>> I suppose if we were starting fresh we could have called it RDML.
>>
>> I don't know that there is a meaningful distinction between a
>> document format like OpenDocument and meta-markup language like
>> SAML. Technically they are the same.
>>
>> The XRI-TC will also be producing a XRI 3.0 spec that will use this
>> updated XRD document specification.
>>
>> Webfinger and others may also produce processing specifications for
>> XRD or profiles of XRD.
>>
>> XRD is NOT an identifier.
>>
>> XRDS as currently used in openID discovery stands for eXtesable
>> Resource Descriptor Sequence.
>>
>> Yadis never made any use of the Sequence feature so we made it
>> optional.
>>
>> Hense the main document format spec is now called XRD and not XRDS.
>>
>> I know people are planning on using it with a multitude of
>> different identifiers including email addresses.
>>
>> It is still XML and the document is a meta-data descriptor not an
>> identifier.
>>
>> John B.
>>
>> On 2009-10-21, at 11:13 PM, Santosh Rajan wrote:
>>
>>> In other words now you are saying that XRD is another markup
>>> language like HTML and SAML. In which case you should be calling
>>> it "XRML" for Extensible Resource Markup Language.
>>>
>>> So what started as a "Descriptor" has morphed into a "Markup
>>> Language".
>>>
>>> So this gives scope for someone else to write the "REAL"
>>> Extensible Resource Descriptor Specification on top of XRML.
>>>
>>>
>>> On Thu, Oct 22, 2009 at 2:24 AM, John Bradley <ve7jtb at ve7jtb.com>
>>> wrote:
>>> XRD is a XML document spec.
>>>
>>>
>>> On 2009-10-21, at 5:21 PM, John Kemp wrote:
>>>
>>> John Bradley wrote:
>>> It means that some protocol that is using XRD is defining the
>>> subject via some external mechanism.
>>>
>>> So the XRD spec. is a template spec. meant to be simply
>>> incorporated by reference into other specs. I guess?
>>>
>>> Like other XML specs eg SAML 2.0 it can be used multiple
>>> specifications that process XML documents.
>>>
>>> External specs can profile the XRD spec.
>>>
>>>
>>> In the HTTP protocol case there may be an implicit subject based
>>> on the identifier that is being resolved.
>>>
>>> As mentioned earlier, if the _subject_ of the XRD is identified
>>> (implicitly) by the same URI used to retrieve the XRD itself, then
>>> that seems rather circular.
>>>
>>> The XML document describes a resource and provides links to
>>> associated resources.
>>> A HTML page doesn't need to explicitly say what URI it is
>>> retrieved from in its internal markup.
>>>
>>> Like with HTML sometimes the subject is defined by the transport
>>> or other external method.
>>>
>>> Thanks
>>> John B.
>>>
>>> All normal http caching would apply in the http: case.
>>>
>>> Sure, I'm not quibbling with caching...
>>>
>>> In the IMI/SAML case we have discussed pushing a XRD as a
>>> assertion/claim.
>>> In that case the subject may be the same as the saml:NameID in the
>>> containing saml:Assertion.
>>> It could perhaps be argued that putting a xrd:Subject and
>>> signature inside a signed saml:Asertion is un-neccicary.
>>> Suffice to say it is up to the protocol using XRD to decide what
>>> to make of a XRD without a xrd:Subject.
>>>
>>> OK, I think I've understood ;)
>>>
>>> Cheers,
>>>
>>> - johnk
>>>
>>> John B.
>>> On 2009-10-21, at 3:09 PM, John Kemp wrote:
>>> John Bradley wrote:
>>> Yes a XRD can be used for identity. In that case it should be a
>>> signed XRD (with Subject)
>>> However a XRD can be used to describe any resource (URI).
>>>
>>> What does it mean then (in XRD terms) if an XRD doesn't identify
>>> the resource it describes (ie. it doesn't have a subject)?
>>>
>>> - johnk
>>>
>>>
>>>
>>>
>>>
>>> --
>>> http://hi.im/santosh
>>>
>>>
>>
>>
>>
>>
>> --
>> http://hi.im/santosh
>>
>>
>>
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>>
>>
>>
>>
>>
>> --
>> http://hi.im/santosh
>>
>>
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>
>
> Eve Maler
> eve at xmlgrrl.com
> http://www.xmlgrrl.com/blog
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091022/6ecfbc78/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2468 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091022/6ecfbc78/attachment-0001.bin>
More information about the general
mailing list