[OpenID] Summarizing my grouse with XRD

Fri Oct 23 01:41:41 UTC 2009

This probably is a good solution to the problem.RFC 2119 term-of-art
"SHOULD"/"RECOMMENDED"

In the case where an XRD is used as an identity, and the the identity is the
<Subject> of the XRD, there cannot be any valid reason to ignore this item.
Can anyone think of a reason how this could be ignored?

On Thu, Oct 22, 2009 at 8:35 PM, Eve Maler <eve at xmlgrrl.com> wrote:

> Tiptoeing into this thread with trepidation... It's true that when any spec
> has options in it ("zero or one"), it will need to be profiled either
> implicitly (best practices in various communities) or, ideally, explicitly
> (a spec that references the XRD spec has to state which options it chooses)
> in order to get interop. In this respect, XRD can be considered a framework
> spec -- but so is every spec that has any options in it at all. That's
> probably close to 100% of specs. :-)
>
> It seems amply demonstrated in this thread that there are use cases where
> an absent <Subject> is useful, but it also seems that people should think
> hard about using that option because of the potential security implications,
> and perhaps it should be used far less often than the alternative. This
> option therefore seems tailor-made for the RFC 2119 term-of-art
> "SHOULD"/"RECOMMENDED":
>
> http://www.ietf.org/rfc/rfc2119.txt
>
> 3. SHOULD   This word, or the adjective "RECOMMENDED", mean that there
>    may exist valid reasons in particular circumstances to ignore a
>    particular item, but the full implications must be understood and
>    carefully weighed before choosing a different course.
>
>
> I can't seem to find any such guidance in the current draft, so maybe it's
> warranted to consider adding it.
>
> Eve
>
> On 22 Oct 2009, at 2:08 AM, Santosh Rajan wrote:
>
> 100% of the people interested in XRD's at the moment are from the identity
> community. I am not aware of any other community showing interest in XRD at
> the moment. What worries me is that people from the identity community are
> rooting for XRD's with 0 or 1 Subject, instead of requiring a Subject.
> Also it would make sense to enforce the <Subject> on to the 1% who would
> not require it, rather than leave the rest of the 99% to their own
> interpretation of what you mean by 0 or 1 Subject. You have already seen on
> this thread talk about the first party (originator) not providing a Subject,
> and the 2nd or 3rd party having to insert the Subject if required by
> themselves.
>
> After all the <Subject> of an XRD is the most important Element of an XRD.
> It is amazing that you don't see it that way, and are willing to leave it in
> an ambiguous state and subject to interpretation. If anything can be a
> recipe for incompatibility between future identity protocols, then this is
> it.
>
> So if you are not going to do something about it then somebody else will
> have to add a new layer to XRD.
>
> On Thu, Oct 22, 2009 at 12:12 PM, Drummond Reed <
> drummond.reed at cordance.net> wrote:
>
>> Santosh,
>>
>> IMHO it's not worth all this worry about Subject being optional or not. If
>> 99% of XRDs need Subject because some protocol that will use the XRD
>> requires a Subject, then only 1% of XRDs will not have a Subject,
>>
>> And those 1% will probably be for very clear edge cases uses of XRD for a
>> specific job that doesn't care whether the XRD has a Subject.
>>
>> All the XRI TC did was recognize that XRD would be useful in that last 1%.
>>
>> Any protocol that uses XRD for discovery, such as OpenID, is free to
>> specify that Subject is mandatory. If so, anyone who tries to use an XRD
>> without a Subject for OpenID discovery will find it won't work, and will
>> need to add the Subject.
>>
>> Done (as is, I hope, this thread).
>>
>> =Drummond
>>
>> On Wed, Oct 21, 2009 at 8:42 PM, Santosh Rajan <santrajan at gmail.com>wrote:
>>
>>> So it is now clear to me that identity protocols cannot use the XRD
>>> specification "as is". There has to be a new "Identity Resource Descriptor"
>>> specification sitting in between XRD and all identity protocols that draw
>>> from XRD.
>>> I will explain the problem with an hypothetical example. Lets say
>>> webfinger were to specify that the <Subject> of the XRD is not required. And
>>> a future OpenID spec mandates the use of <Subject>, because the OpenID folks
>>> felt that XRD with no Subject was a security risk. The future OpenID Spec
>>> will not be able to use the webfinger protocol (which according to current
>>> thinking it may want to).
>>>
>>> In any case an "Identity Resource Descriptor", without a Subject to
>>> describe it, is entirely meaningless to me. So a new identity Layer for XRD
>>> is called for that mandates the use of <Subject> in all Identity Resource
>>> Descriptors. (IRD's).
>>>
>>>
>>> On Thu, Oct 22, 2009 at 8:46 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>>>
>>>> I suppose if we were starting fresh we could have called it RDML.
>>>>
>>>> I don't know that there is a meaningful distinction between a document
>>>> format like  OpenDocument and meta-markup language like SAML.   Technically
>>>> they are the same.
>>>>
>>>> The XRI-TC will also be producing a XRI 3.0 spec that will use this
>>>> updated XRD document specification.
>>>>
>>>> Webfinger and others may also produce processing specifications for XRD
>>>> or profiles of XRD.
>>>>
>>>> XRD is NOT an identifier.
>>>>
>>>> XRDS as currently used in openID discovery stands for eXtesable Resource
>>>> Descriptor  Sequence.
>>>>
>>>> Yadis never made any use of the Sequence feature so we made it
>>>> optional.
>>>>
>>>> Hense the main document format spec is now called XRD and not XRDS.
>>>>
>>>> I know people are planning on using it with a multitude of different
>>>> identifiers including email addresses.
>>>>
>>>> It is still XML and the document is a meta-data descriptor not an
>>>> identifier.
>>>>
>>>> John B.
>>>>
>>>> On 2009-10-21, at 11:13 PM, Santosh Rajan wrote:
>>>>
>>>> In other words now you are saying that XRD is another markup language
>>>> like HTML and SAML. In which case you should be calling it "XRML" for
>>>> Extensible Resource Markup Language.
>>>> So what started as a "Descriptor" has morphed into a "Markup Language".
>>>>
>>>> So this gives scope for someone else to write the "REAL" Extensible
>>>> Resource Descriptor Specification on top of XRML.
>>>>
>>>>
>>>> On Thu, Oct 22, 2009 at 2:24 AM, John Bradley <ve7jtb at ve7jtb.com>wrote:
>>>>
>>>>> XRD is a XML document spec.
>>>>>
>>>>> On 2009-10-21, at 5:21 PM, John Kemp wrote:
>>>>>
>>>>>  John Bradley wrote:
>>>>>>
>>>>>>> It means that some protocol that is using XRD is defining the subject
>>>>>>> via some external mechanism.
>>>>>>>
>>>>>>
>>>>>> So the XRD spec. is a template spec. meant to be simply incorporated
>>>>>> by reference into other specs. I guess?
>>>>>>
>>>>>>  Like other XML specs eg SAML 2.0 it can be used multiple
>>>>> specifications that process XML documents.
>>>>>
>>>>> External specs can profile the XRD spec.
>>>>>
>>>>>  In the HTTP protocol case there may be an implicit subject based on
>>>>>>> the identifier that is being resolved.
>>>>>>>
>>>>>>
>>>>>> As mentioned earlier, if the _subject_ of the XRD is identified
>>>>>> (implicitly) by the same URI used to retrieve the XRD itself, then that
>>>>>> seems rather circular.
>>>>>>
>>>>>>  The XML document describes a resource and provides links to
>>>>> associated resources.
>>>>> A HTML page doesn't need to explicitly say what URI it is retrieved
>>>>> from in its internal markup.
>>>>>
>>>>> Like with HTML sometimes the subject is defined by the transport or
>>>>> other external method.
>>>>>
>>>>> Thanks
>>>>> John B.
>>>>>
>>>>>  All normal http caching would apply in the http: case.
>>>>>>>
>>>>>>
>>>>>> Sure, I'm not quibbling with caching...
>>>>>>
>>>>>>  In the IMI/SAML case we have discussed pushing a XRD as a
>>>>>>> assertion/claim.
>>>>>>> In that case the subject may be the same as the saml:NameID in the
>>>>>>> containing saml:Assertion.
>>>>>>> It could perhaps be argued that putting a xrd:Subject and signature
>>>>>>> inside a signed saml:Asertion is un-neccicary.
>>>>>>> Suffice to say it is up to the protocol using XRD to decide what to
>>>>>>> make of a XRD without a xrd:Subject.
>>>>>>>
>>>>>>
>>>>>> OK, I think I've understood ;)
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> - johnk
>>>>>>
>>>>>>  John B.
>>>>>>> On 2009-10-21, at 3:09 PM, John Kemp wrote:
>>>>>>>
>>>>>>>> John Bradley wrote:
>>>>>>>>
>>>>>>>>> Yes a XRD can be used for identity.  In that case it should be a
>>>>>>>>> signed XRD (with Subject)
>>>>>>>>> However a XRD can be used to describe any resource (URI).
>>>>>>>>>
>>>>>>>>
>>>>>>>> What does it mean then (in XRD terms) if an XRD doesn't identify the
>>>>>>>> resource it describes (ie. it doesn't have a subject)?
>>>>>>>>
>>>>>>>> - johnk
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> http://hi.im/santosh
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> http://hi.im/santosh
>>>
>>>
>>>
>>> _______________________________________________
>>> general mailing list
>>> general at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-general
>>>
>>>
>>
>
>
> --
> http://hi.im/santosh
>
>
>  _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
>
> Eve Maler
> eve at xmlgrrl.com
> http://www.xmlgrrl.com/blog
>
>

-- 
http://hi.im/santosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091023/d22a2a0a/attachment.htm>