[OpenID] google, xri and signed xrd
Peter Williams
pwilliams at rapattoni.com
Sat Sep 12 14:34:13 UTC 2009
Addressing the weaknesses in openid discovery (XRI discovery, not YADIS)
1. Goto Google.com, and select the iGoogle home page. (...portal page, now with gadgets...)
2. Install http://www.freexri.com/tools/GoogleGadget/
3. Use XRI gadget, type "@blog*lockbox" and tryout "resolution" (see it popup a teaching window, and note I have a certificate SEP registered for this "endpoint")
4. On teaching window, also tryout the SAML option to get a signed XRD (choose resolve type "authority")
5. On teaching window, also tryout the SAML option with the XRDS option, to get *multiple* signed XRD forming a chain of signed assertions (choose resolve type "authority")
What is interesting here is that .gov could easily publish its whitelist of OPs in such a form, rather than kludging up a root registration authority. The XRD is signed on the fly (even though the registered "cert" for the OP's https endpoint is static). To scale out the domain graph, there are chains...much as one has chains of certs and x-certs in PKI-based domain management.
If anyone has an XRI Resolution client in .NET, please let me know. In security, having your own code interwork with your own code is typically not a strong proof of anything.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090912/345ef1f8/attachment.htm>
More information about the general
mailing list