[OpenID] Summarizing my grouse with XRD

Santosh Rajan santrajan at gmail.com
Fri Oct 23 01:32:30 UTC 2009 

Thanks for pointing this out. But the overwhelming majority of the interest
in XRD comes from the identity community. So this does not change the
overall argument i am making.

On Fri, Oct 23, 2009 at 1:49 AM, Bob Wyman <bob at wyman.us> wrote:

> On Thu, Oct 22, 2009 at 5:08 AM, Santosh Rajan <santrajan at gmail.com>wrote:
> > 100% of the people interested in XRD's at the
> > moment are from the identity community.
> That's just not true. We've been discussing using XRD for a variety of
> purposes in PubSubHubbub land and it has also come up as a real option in a
> variety of other efforts that I'm involved with.
>
> > I am not aware of any other community
> > showing interest in XRD at the moment.
> Well, hopefully, that has changed.
>
> bob wyman
>
>
>
> On Thu, Oct 22, 2009 at 5:08 AM, Santosh Rajan <santrajan at gmail.com>wrote:
>
>> 100% of the people interested in XRD's at the moment are from the identity
>> community. I am not aware of any other community showing interest in XRD at
>> the moment. What worries me is that people from the identity community are
>> rooting for XRD's with 0 or 1 Subject, instead of requiring a Subject.
>> Also it would make sense to enforce the <Subject> on to the 1% who would
>> not require it, rather than leave the rest of the 99% to their own
>> interpretation of what you mean by 0 or 1 Subject. You have already seen on
>> this thread talk about the first party (originator) not providing a Subject,
>> and the 2nd or 3rd party having to insert the Subject if required by
>> themselves.
>>
>> After all the <Subject> of an XRD is the most important Element of an XRD.
>> It is amazing that you don't see it that way, and are willing to leave it in
>> an ambiguous state and subject to interpretation. If anything can be a
>> recipe for incompatibility between future identity protocols, then this is
>> it.
>>
>> So if you are not going to do something about it then somebody else will
>> have to add a new layer to XRD.
>>
>>
>> On Thu, Oct 22, 2009 at 12:12 PM, Drummond Reed <
>> drummond.reed at cordance.net> wrote:
>>
>>> Santosh,
>>>
>>> IMHO it's not worth all this worry about Subject being optional or not.
>>> If 99% of XRDs need Subject because some protocol that will use the XRD
>>> requires a Subject, then only 1% of XRDs will not have a Subject,
>>>
>>> And those 1% will probably be for very clear edge cases uses of XRD for a
>>> specific job that doesn't care whether the XRD has a Subject.
>>>
>>> All the XRI TC did was recognize that XRD would be useful in that last
>>> 1%.
>>>
>>> Any protocol that uses XRD for discovery, such as OpenID, is free to
>>> specify that Subject is mandatory. If so, anyone who tries to use an XRD
>>> without a Subject for OpenID discovery will find it won't work, and will
>>> need to add the Subject.
>>>
>>> Done (as is, I hope, this thread).
>>>
>>> =Drummond
>>>
>>> On Wed, Oct 21, 2009 at 8:42 PM, Santosh Rajan <santrajan at gmail.com>wrote:
>>>
>>>> So it is now clear to me that identity protocols cannot use the XRD
>>>> specification "as is". There has to be a new "Identity Resource Descriptor"
>>>> specification sitting in between XRD and all identity protocols that draw
>>>> from XRD.
>>>> I will explain the problem with an hypothetical example. Lets say
>>>> webfinger were to specify that the <Subject> of the XRD is not required. And
>>>> a future OpenID spec mandates the use of <Subject>, because the OpenID folks
>>>> felt that XRD with no Subject was a security risk. The future OpenID Spec
>>>> will not be able to use the webfinger protocol (which according to current
>>>> thinking it may want to).
>>>>
>>>> In any case an "Identity Resource Descriptor", without a Subject to
>>>> describe it, is entirely meaningless to me. So a new identity Layer for XRD
>>>> is called for that mandates the use of <Subject> in all Identity Resource
>>>> Descriptors. (IRD's).
>>>>
>>>>
>>>> On Thu, Oct 22, 2009 at 8:46 AM, John Bradley <ve7jtb at ve7jtb.com>wrote:
>>>>
>>>>> I suppose if we were starting fresh we could have called it RDML.
>>>>>
>>>>> I don't know that there is a meaningful distinction between a document
>>>>> format like  OpenDocument and meta-markup language like SAML.   Technically
>>>>> they are the same.
>>>>>
>>>>> The XRI-TC will also be producing a XRI 3.0 spec that will use this
>>>>> updated XRD document specification.
>>>>>
>>>>> Webfinger and others may also produce processing specifications for XRD
>>>>> or profiles of XRD.
>>>>>
>>>>> XRD is NOT an identifier.
>>>>>
>>>>> XRDS as currently used in openID discovery stands for eXtesable
>>>>> Resource Descriptor  Sequence.
>>>>>
>>>>> Yadis never made any use of the Sequence feature so we made it
>>>>> optional.
>>>>>
>>>>> Hense the main document format spec is now called XRD and not XRDS.
>>>>>
>>>>> I know people are planning on using it with a multitude of different
>>>>> identifiers including email addresses.
>>>>>
>>>>> It is still XML and the document is a meta-data descriptor not an
>>>>> identifier.
>>>>>
>>>>> John B.
>>>>>
>>>>> On 2009-10-21, at 11:13 PM, Santosh Rajan wrote:
>>>>>
>>>>> In other words now you are saying that XRD is another markup language
>>>>> like HTML and SAML. In which case you should be calling it "XRML" for
>>>>> Extensible Resource Markup Language.
>>>>> So what started as a "Descriptor" has morphed into a "Markup Language".
>>>>>
>>>>> So this gives scope for someone else to write the "REAL" Extensible
>>>>> Resource Descriptor Specification on top of XRML.
>>>>>
>>>>>
>>>>> On Thu, Oct 22, 2009 at 2:24 AM, John Bradley <ve7jtb at ve7jtb.com>wrote:
>>>>>
>>>>>> XRD is a XML document spec.
>>>>>>
>>>>>> On 2009-10-21, at 5:21 PM, John Kemp wrote:
>>>>>>
>>>>>>  John Bradley wrote:
>>>>>>>
>>>>>>>> It means that some protocol that is using XRD is defining the
>>>>>>>> subject via some external mechanism.
>>>>>>>>
>>>>>>>
>>>>>>> So the XRD spec. is a template spec. meant to be simply incorporated
>>>>>>> by reference into other specs. I guess?
>>>>>>>
>>>>>>>  Like other XML specs eg SAML 2.0 it can be used multiple
>>>>>> specifications that process XML documents.
>>>>>>
>>>>>> External specs can profile the XRD spec.
>>>>>>
>>>>>>  In the HTTP protocol case there may be an implicit subject based on
>>>>>>>> the identifier that is being resolved.
>>>>>>>>
>>>>>>>
>>>>>>> As mentioned earlier, if the _subject_ of the XRD is identified
>>>>>>> (implicitly) by the same URI used to retrieve the XRD itself, then that
>>>>>>> seems rather circular.
>>>>>>>
>>>>>>>  The XML document describes a resource and provides links to
>>>>>> associated resources.
>>>>>> A HTML page doesn't need to explicitly say what URI it is retrieved
>>>>>> from in its internal markup.
>>>>>>
>>>>>> Like with HTML sometimes the subject is defined by the transport or
>>>>>> other external method.
>>>>>>
>>>>>> Thanks
>>>>>> John B.
>>>>>>
>>>>>>  All normal http caching would apply in the http: case.
>>>>>>>>
>>>>>>>
>>>>>>> Sure, I'm not quibbling with caching...
>>>>>>>
>>>>>>>  In the IMI/SAML case we have discussed pushing a XRD as a
>>>>>>>> assertion/claim.
>>>>>>>> In that case the subject may be the same as the saml:NameID in the
>>>>>>>> containing saml:Assertion.
>>>>>>>> It could perhaps be argued that putting a xrd:Subject and signature
>>>>>>>> inside a signed saml:Asertion is un-neccicary.
>>>>>>>> Suffice to say it is up to the protocol using XRD to decide what to
>>>>>>>> make of a XRD without a xrd:Subject.
>>>>>>>>
>>>>>>>
>>>>>>> OK, I think I've understood ;)
>>>>>>>
>>>>>>> Cheers,
>>>>>>>
>>>>>>> - johnk
>>>>>>>
>>>>>>>  John B.
>>>>>>>> On 2009-10-21, at 3:09 PM, John Kemp wrote:
>>>>>>>>
>>>>>>>>> John Bradley wrote:
>>>>>>>>>
>>>>>>>>>> Yes a XRD can be used for identity.  In that case it should be a
>>>>>>>>>> signed XRD (with Subject)
>>>>>>>>>> However a XRD can be used to describe any resource (URI).
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> What does it mean then (in XRD terms) if an XRD doesn't identify
>>>>>>>>> the resource it describes (ie. it doesn't have a subject)?
>>>>>>>>>
>>>>>>>>> - johnk
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> http://hi.im/santosh
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> http://hi.im/santosh
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> general mailing list
>>>> general at lists.openid.net
>>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>>
>>>>
>>>
>>
>>
>> --
>> http://hi.im/santosh
>>
>>
>>
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>>
>>
>


-- 
http://hi.im/santosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091023/b4285163/attachment-0001.htm>

More information about the general mailing list