[OpenID] Comment on new Draft host-meta

[Peter Williams]

concerning the abstract argument at
http://hueniverse.com/2009/07/users-vs-identity-providers-in-openid/

the host-meta draft seems to hinge on a core argument. It asserts as
conclusion that a URI really cannot identify a host (and thus one needs the
IETF standard to redress what the web architects have failed to do). It
implies that openid community has been barking up the wrong tree in using a
URI to identify an OP provider. ONLY a DOMAIN NAME can really identity a
host (and thus an OP provider)

I have to say that I'm struggling to accept that argument as sound.

the assumption that a URI cannot really identify an OP Provider is hard to
accept. It seems to fly in the face of what the semweb metadata model is all
about.

That one must _necessarily_ equate an OP Provider with a "host" (and thus a
domain name), seems bizarre. As an option (and an opportunity), it seems
fine.

So far, i find myself intuitively objecting on the grounds that no such
argument was necessary in the SAML world (which had some of really picky,
identity pedants attached to its autoring, editing and review). If the IDP's
entityname in the SAML world happens to be an URL, one COULD simply (and
Shibboleth software DOES) use the URI to obtain the SAML metadata from an
HTTP server. There was and is no "necessity" for complex arguments about
hosts, providers, and what URIs can and cannot do (if one equates an IDP
Provider with a "host"). Picking up metadata about an IDP named by URL is
done every day, and I cannot find any argument of theoretical issues with
it.

Now, what I am missing? Is there analysis of the argument when applied to
SAML2 and Shibboleth (vs OpenID)?

Why would the argument hold for openid asserting parties (and OP Providers),
but not for SAML asserting parties (and IDP providers)?



-- 
View this message in context: http://www.nabble.com/Comment-on-new-Draft-host-meta-tp26036844p26051486.html
Sent from the OpenID - General mailing list archive at Nabble.com.