[OpenID] user centric delegation vs portability: LRDD : competing threats: the consumer's fear hypothesis

John Bradley ve7jtb at ve7jtb.com
Tue Oct 27 13:35:47 UTC 2009 

Don't think so.

Host-meta provides the template so that a resolver can find the XRD  
for the identifier.

That XRD (likely a user XRD)  then provides links to related resources  
like the users OP.

Scope is required so that an entity that controls a DNS authority can  
say what protocols the host-meta XRD contains valid mappings for.

If there is a subject of a host-meta XRD it needs to relate to the DNS  
names or names in the SSL cert used to sign it.

I think there are two issues.
1 Authority  (relates to signing keys)
2 what URI schemes and ports the XRD contains mappings for.

I think the latest drafts of WebFinger has them somewhat conflated.

My personal preference would be to use <Subject> for trust and some  
other elements to describe scope.

However mine is just one opinion.

No I don't think <Subject> needs to be required in XRD.

Regards
John B.
On 2009-10-27, at 1:10 AM, Santosh Rajan wrote:

> Hi John,
> As you say the host-meta "provides a mapping from some identifier to  
> a XRD for that identifier". This is true in the larger context.
>
> However it is important to remember that it is not the "host-meta"  
> itself that is doing the mapping. There is another application  
> pointed to by the <URITemplate> that is actually doing the mapping.
>
> So strictly speaking the host-meta "provides a mapping from an  
> identifier to its resolver".
>
> The host-meta is itself not doing the resolution, hence the host- 
> meta need not be concerned with the resolution. Therefore it follows  
> that the host-meta need not be concerned with the "scheme".
>
> The whole "Scope" story is not required at all in this case.
>
> In which case the <Subject> is required. The issue is then how you  
> want to describe the Subject. "dns:example.com" should be good  
> enough in this case.
>
>
> On Tue, Oct 27, 2009 at 6:01 AM, John Bradley <ve7jtb at ve7jtb.com>  
> wrote:
> Host-meta doesn't provide the OP.
>
> It provides a mapping from some identifier to a XRD for that  
> identifier.
>
> It is the target XRD for the user that specifies the OP.
>
> Link link-headders can also provide the location of the XRD if you  
> are using HTTP or another protocol that supports them.
>
> host-meta is an additional way to map identifiers to XRD for things  
> like email, or in cases where the site cant or just doesn't want to  
> use link-headders.
>
> Link-headder is the replacement for the X-XRDS-Location custom  
> header we were using in Yadis.
>
> John B.
> On 2009-10-26, at 8:28 PM, Manger, James H wrote:
>
>> Dirk,
>>
>> I don’t think your IBM example is a very convincing argument for  
>> host-meta to take precedence over an actual OpenID URI. Listing an  
>> OP in host-meta may be a bit easier for an IBM IT admin than  
>> preventing links to OPs from other URIs — but the latter is quite  
>> feasible (rules in the page editing tool; filter in web server;  
>> validator on page changes; background script to look in the file  
>> system for this specific situation…). Even a non-technical  
>> corporate policy saying staff must not specify another OP goes some  
>> way to meeting the objective.
>>
>> It is probably more convenient for host-meta to be able to provide  
>> a default OP, which can be overwritten for some special URIs. Most  
>> OpenID URIs on a host don’t specify an OP so they fallback to host- 
>> meta, but a few can use a different OP (for non-humans, for  
>> contractors, for testing, for migrating to a new OP implementation,  
>> for staff with a different hardware login token…).
>>
>>
>> James Manger
>> James.H.Manger at team.telstra.com
>> Identity and security team — Chief Technology Office — Telstra
>>
>> From: openid-general-bounces at lists.openid.net [mailto:openid- 
>> general-bounces at lists.openid.net] On Behalf Of Dirk Balfanz
>> Sent: Tuesday, 27 October 2009 7:51 AM
>> To: Peter Williams
>> Cc: general at openid.net
>> Subject: Re: [OpenID] user centric delegation vs portability:  
>> LRDD : competing threats: the consumer's fear hypothesis
>>
>> …If you have your own domain, you can pick (and change) your  
>> identity provider. But if you're one of 300,000 IBM employees,  
>> there are certain things you can't pick about your work account -  
>> you can't pick your email provider, you can't pick your calendaring  
>> software, and you can't presumably pick your identity provider -  
>> professionals at IBM who get paid to worry about this stuff will  
>> pick one for you that they are reasonably sure will not, say, put  
>> into jeopardy the 401k accounts of the combined IBM workforce  
>> (because, hypothetically speaking, IBM uses OpenID to log their  
>> employees into fidelity.com).
>>
>> We need a single sign-on solution for the Web that works both for  
>> Blogger/Facebook/consumer use case as well as the IBM use case.
>>
>> Dirk.
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>
>
>
>
> -- 
> http://hi.im/santosh
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091027/fff5daa2/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2468 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091027/fff5daa2/attachment.bin>

More information about the general mailing list