[OpenID] extending host-meta beyond IETF extensions; ws-security policy like rules

Santosh Rajan santrajan at gmail.com
Sat Oct 31 03:45:06 UTC 2009 

The more I look at it, the more I can see that this whole "Scope" story is a
can (truckload?) of worms waiting to be opened.

For this the original objectives of XRD and host-meta have been changed
somewhere down the line. After the "acct:" scheme came up.
1) XRD from "descriptor" to "markup language"
2) host-meta from "simple mapper" to "extending DNS".

My suggestion is that we stick to the original objectives for "Version 1.0"
of XRD and host-meta spec, and use only the "http(s) scheme, and get this
whole thing working in the first place (acct: can be used to describe an
email like identifier in the Subject). Adding "Scope" and extending DNS etc
can be done in a later Version of the spec.

And this is not my idea. On the webfinger list, somebody from (IETF I think)
has suggested the same thing. That they develop a simple Version 1 to start
with.

Unfortunately these guys don't seem to be in a great mood to listen to
reason.


On Fri, Oct 30, 2009 at 11:51 PM, Peter Williams <home_pw at msn.com> wrote:

>
> if one buys into host-meta, using scopes to indentity for which URI (user)
> identifies this host is authoritative (particularly in  world where cloud
> providers on 1  domain supports app-domains on other domains) I can see
> more
> scope rules being required.
>
> On an app-domain basis, and then a per-user basis, each overriding the
> cloud
> providers scope, host-meta scopre for "authoritative sreg attributes" might
> be added to the app-domain's host-meta file.
>
> The RP might want to know which attibutes the app-domain has "verified",
> and
> speaks for (above and beyond the cloud provider merely forwarding the
> values
> from the users profile).
>
> Despite having outsourced to google discovery and per-user profile
> management for my app domain on my domain's URI, I app domain assert that I
> legallty represent the value of sreg.website to be in compliance with my
> posted policy (also hanging off of my app domains host-meta).
>
> In all likelihood, this day and age, the policy would be an RDFa document,
> so its readable by hiumans amd the machie-readable elements can express
> rules in an algerab not dissimialr to ws-securitypocliy (controlling which
> claims are required at which RPs, and which an IDP (i.e. app-domain, not
> cloud provider) is itself will to vouch for, legally.
> --
> View this message in context:
> http://old.nabble.com/extending-host-meta-beyond-IETF-extensions--ws-security-policy-like-rules-tp26134827p26134827.html
> Sent from the OpenID - General mailing list archive at Nabble.com.
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general
>



-- 
http://hi.im/santosh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091031/b0aff349/attachment.htm>

More information about the general mailing list