[OpenID] user centric delegation vs portability: LRDD : competing threats: the consumer's fear hypothesis

Santosh Rajan santrajan at gmail.com
Tue Oct 27 04:10:04 UTC 2009 

Hi John,
As you say the host-meta "provides a mapping from some identifier to a XRD
for that identifier". This is true in the larger context.

However it is important to remember that it is not the "host-meta" itself
that is doing the mapping. There is another application pointed to by the
<URITemplate> that is actually doing the mapping.

So strictly speaking the host-meta "provides a mapping from an identifier to
its resolver".

The host-meta is itself not doing the resolution, hence the host-meta need
not be concerned with the resolution. Therefore it follows that the
host-meta need not be concerned with the "scheme".

The whole "Scope" story is not required at all in this case.

In which case the <Subject> is required. The issue is then how you want to
describe the Subject. "dns:example.com" should be good enough in this case.


On Tue, Oct 27, 2009 at 6:01 AM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> Host-meta doesn't provide the OP.
>
> It provides a mapping from some identifier to a XRD for that identifier.
>
> It is the target XRD for the user that specifies the OP.
>
> Link link-headders can also provide the location of the XRD if you are
> using HTTP or another protocol that supports them.
>
> host-meta is an additional way to map identifiers to XRD for things like
> email, or in cases where the site cant or just doesn't want to use
> link-headders.
>
> Link-headder is the replacement for the X-XRDS-Location custom header we
> were using in Yadis.
>
> John B.
> On 2009-10-26, at 8:28 PM, Manger, James H wrote:
>
> Dirk,
>
> I don’t think your IBM example is a very convincing argument for host-meta
> to take precedence over an actual OpenID URI. Listing an OP in host-meta may
> be a bit easier for an IBM IT admin than preventing links to OPs from other
> URIs — but the latter is quite feasible (rules in the page editing tool;
> filter in web server; validator on page changes; background script to look
> in the file system for this specific situation…). Even a non-technical
> corporate policy saying staff must not specify another OP goes some way to
> meeting the objective.
>
> It is probably more convenient for host-meta to be able to provide a
> default OP, which can be overwritten for some special URIs. Most OpenID URIs
> on a host don’t specify an OP so they fallback to host-meta, but a few can
> use a different OP (for non-humans, for contractors, for testing, for
> migrating to a new OP implementation, for staff with a different hardware
> login token…).
>
>
> *James Manger*
> James.H.Manger at team.telstra.com
> Identity and security team — Chief Technology Office — Telstra
>
> *From:* openid-general-bounces at lists.openid.net [mailto:
> openid-general-bounces at lists.openid.net] *On Behalf Of *Dirk Balfanz
> *Sent:* Tuesday, 27 October 2009 7:51 AM
> *To:* Peter Williams
> *Cc:* general at openid.net
> *Subject:* Re: [OpenID] user centric delegation vs portability: LRDD :
> competing threats: the consumer's fear hypothesis
>
> …If you have your own domain, you can pick (and change) your identity
> provider. But if you're one of 300,000 IBM employees, there are certain
> things you can't pick about your work account - you can't pick your email
> provider, you can't pick your calendaring software, and you can't presumably
> pick your identity provider - professionals at IBM who get paid to worry
> about this stuff will pick one for you that they are reasonably sure will
> not, say, put into jeopardy the 401k accounts of the combined IBM workforce
> (because, hypothetically speaking, IBM uses OpenID to log their employees
> into fidelity.com).
>
> We need a single sign-on solution for the Web that works both for
> Blogger/Facebook/consumer use case as well as the IBM use case.
>
> Dirk.
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>


-- 
http://hi.im/santosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091027/7193a27b/attachment-0001.htm>

More information about the general mailing list