[OpenID] Summarizing my grouse with XRD

Thu Oct 22 20:19:41 UTC 2009

On Thu, Oct 22, 2009 at 5:08 AM, Santosh Rajan <santrajan at gmail.com> wrote:
> 100% of the people interested in XRD's at the
> moment are from the identity community.
That's just not true. We've been discussing using XRD for a variety of
purposes in PubSubHubbub land and it has also come up as a real option in a
variety of other efforts that I'm involved with.

> I am not aware of any other community
> showing interest in XRD at the moment.
Well, hopefully, that has changed.

bob wyman

On Thu, Oct 22, 2009 at 5:08 AM, Santosh Rajan <santrajan at gmail.com> wrote:

> 100% of the people interested in XRD's at the moment are from the identity
> community. I am not aware of any other community showing interest in XRD at
> the moment. What worries me is that people from the identity community are
> rooting for XRD's with 0 or 1 Subject, instead of requiring a Subject.
> Also it would make sense to enforce the <Subject> on to the 1% who would
> not require it, rather than leave the rest of the 99% to their own
> interpretation of what you mean by 0 or 1 Subject. You have already seen on
> this thread talk about the first party (originator) not providing a Subject,
> and the 2nd or 3rd party having to insert the Subject if required by
> themselves.
>
> After all the <Subject> of an XRD is the most important Element of an XRD.
> It is amazing that you don't see it that way, and are willing to leave it in
> an ambiguous state and subject to interpretation. If anything can be a
> recipe for incompatibility between future identity protocols, then this is
> it.
>
> So if you are not going to do something about it then somebody else will
> have to add a new layer to XRD.
>
>
> On Thu, Oct 22, 2009 at 12:12 PM, Drummond Reed <
> drummond.reed at cordance.net> wrote:
>
>> Santosh,
>>
>> IMHO it's not worth all this worry about Subject being optional or not. If
>> 99% of XRDs need Subject because some protocol that will use the XRD
>> requires a Subject, then only 1% of XRDs will not have a Subject,
>>
>> And those 1% will probably be for very clear edge cases uses of XRD for a
>> specific job that doesn't care whether the XRD has a Subject.
>>
>> All the XRI TC did was recognize that XRD would be useful in that last 1%.
>>
>> Any protocol that uses XRD for discovery, such as OpenID, is free to
>> specify that Subject is mandatory. If so, anyone who tries to use an XRD
>> without a Subject for OpenID discovery will find it won't work, and will
>> need to add the Subject.
>>
>> Done (as is, I hope, this thread).
>>
>> =Drummond
>>
>> On Wed, Oct 21, 2009 at 8:42 PM, Santosh Rajan <santrajan at gmail.com>wrote:
>>
>>> So it is now clear to me that identity protocols cannot use the XRD
>>> specification "as is". There has to be a new "Identity Resource Descriptor"
>>> specification sitting in between XRD and all identity protocols that draw
>>> from XRD.
>>> I will explain the problem with an hypothetical example. Lets say
>>> webfinger were to specify that the <Subject> of the XRD is not required. And
>>> a future OpenID spec mandates the use of <Subject>, because the OpenID folks
>>> felt that XRD with no Subject was a security risk. The future OpenID Spec
>>> will not be able to use the webfinger protocol (which according to current
>>> thinking it may want to).
>>>
>>> In any case an "Identity Resource Descriptor", without a Subject to
>>> describe it, is entirely meaningless to me. So a new identity Layer for XRD
>>> is called for that mandates the use of <Subject> in all Identity Resource
>>> Descriptors. (IRD's).
>>>
>>>
>>> On Thu, Oct 22, 2009 at 8:46 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>>>
>>>> I suppose if we were starting fresh we could have called it RDML.
>>>>
>>>> I don't know that there is a meaningful distinction between a document
>>>> format like  OpenDocument and meta-markup language like SAML.   Technically
>>>> they are the same.
>>>>
>>>> The XRI-TC will also be producing a XRI 3.0 spec that will use this
>>>> updated XRD document specification.
>>>>
>>>> Webfinger and others may also produce processing specifications for XRD
>>>> or profiles of XRD.
>>>>
>>>> XRD is NOT an identifier.
>>>>
>>>> XRDS as currently used in openID discovery stands for eXtesable Resource
>>>> Descriptor  Sequence.
>>>>
>>>> Yadis never made any use of the Sequence feature so we made it
>>>> optional.
>>>>
>>>> Hense the main document format spec is now called XRD and not XRDS.
>>>>
>>>> I know people are planning on using it with a multitude of different
>>>> identifiers including email addresses.
>>>>
>>>> It is still XML and the document is a meta-data descriptor not an
>>>> identifier.
>>>>
>>>> John B.
>>>>
>>>> On 2009-10-21, at 11:13 PM, Santosh Rajan wrote:
>>>>
>>>> In other words now you are saying that XRD is another markup language
>>>> like HTML and SAML. In which case you should be calling it "XRML" for
>>>> Extensible Resource Markup Language.
>>>> So what started as a "Descriptor" has morphed into a "Markup Language".
>>>>
>>>> So this gives scope for someone else to write the "REAL" Extensible
>>>> Resource Descriptor Specification on top of XRML.
>>>>
>>>>
>>>> On Thu, Oct 22, 2009 at 2:24 AM, John Bradley <ve7jtb at ve7jtb.com>wrote:
>>>>
>>>>> XRD is a XML document spec.
>>>>>
>>>>> On 2009-10-21, at 5:21 PM, John Kemp wrote:
>>>>>
>>>>>  John Bradley wrote:
>>>>>>
>>>>>>> It means that some protocol that is using XRD is defining the subject
>>>>>>> via some external mechanism.
>>>>>>>
>>>>>>
>>>>>> So the XRD spec. is a template spec. meant to be simply incorporated
>>>>>> by reference into other specs. I guess?
>>>>>>
>>>>>>  Like other XML specs eg SAML 2.0 it can be used multiple
>>>>> specifications that process XML documents.
>>>>>
>>>>> External specs can profile the XRD spec.
>>>>>
>>>>>  In the HTTP protocol case there may be an implicit subject based on
>>>>>>> the identifier that is being resolved.
>>>>>>>
>>>>>>
>>>>>> As mentioned earlier, if the _subject_ of the XRD is identified
>>>>>> (implicitly) by the same URI used to retrieve the XRD itself, then that
>>>>>> seems rather circular.
>>>>>>
>>>>>>  The XML document describes a resource and provides links to
>>>>> associated resources.
>>>>> A HTML page doesn't need to explicitly say what URI it is retrieved
>>>>> from in its internal markup.
>>>>>
>>>>> Like with HTML sometimes the subject is defined by the transport or
>>>>> other external method.
>>>>>
>>>>> Thanks
>>>>> John B.
>>>>>
>>>>>  All normal http caching would apply in the http: case.
>>>>>>>
>>>>>>
>>>>>> Sure, I'm not quibbling with caching...
>>>>>>
>>>>>>  In the IMI/SAML case we have discussed pushing a XRD as a
>>>>>>> assertion/claim.
>>>>>>> In that case the subject may be the same as the saml:NameID in the
>>>>>>> containing saml:Assertion.
>>>>>>> It could perhaps be argued that putting a xrd:Subject and signature
>>>>>>> inside a signed saml:Asertion is un-neccicary.
>>>>>>> Suffice to say it is up to the protocol using XRD to decide what to
>>>>>>> make of a XRD without a xrd:Subject.
>>>>>>>
>>>>>>
>>>>>> OK, I think I've understood ;)
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> - johnk
>>>>>>
>>>>>>  John B.
>>>>>>> On 2009-10-21, at 3:09 PM, John Kemp wrote:
>>>>>>>
>>>>>>>> John Bradley wrote:
>>>>>>>>
>>>>>>>>> Yes a XRD can be used for identity.  In that case it should be a
>>>>>>>>> signed XRD (with Subject)
>>>>>>>>> However a XRD can be used to describe any resource (URI).
>>>>>>>>>
>>>>>>>>
>>>>>>>> What does it mean then (in XRD terms) if an XRD doesn't identify the
>>>>>>>> resource it describes (ie. it doesn't have a subject)?
>>>>>>>>
>>>>>>>> - johnk
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> http://hi.im/santosh
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> http://hi.im/santosh
>>>
>>>
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>
>>>
>>
>
>
> --
> http://hi.im/santosh
>
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091022/8eccba72/attachment-0001.htm>