[OpenID] host-meta and "acct:"
Peter Williams
home_pw at msn.com
Tue Oct 27 17:52:07 UTC 2009
You not *still* on the xrd.subject vs xrd.ietf.scopes conspiracy, are you?
Omitting xrd.subject just allows a security context/container to play its
role. (The most rationale context is an https cert with domain-check
assertion authenticating the https session over which one pulls the
host-meta stream. Alternatively, per the standard, sign it per the XRD 1.0
spec and populate subject.)
I could see the case for requiring host-meta spec from IETF to disdclose HOW
one would PROPERLY ppulate subekct, in the case that the XRD is signed. Why
not make the case to the WG (else threaten them with raising the issue
during WG and then IESG last call )
-----
Im obviously getting far too old for facebook. I didnt recognise the sound
of the identity url you posted :-(. it's cute (in English)
Santosh Rajan wrote:
>
> ...
>
> Unfortunately I have a problem with this idea, even though I like it,
> this is not the way to do it. The problem is that if you want to
> legitimize "acct:" you need to be a software engineer contortionist.
> You need to "Reject" Subject from the host-meta, and you need to add
> "Scope" into the host-meta.
> ...
> --
> http://hi.im/santosh
> ...
>
--
View this message in context: http://www.nabble.com/host-meta-and-%22acct%3A%22-tp26079872p26082181.html
Sent from the OpenID - General mailing list archive at Nabble.com.
More information about the general
mailing list