[OpenID] google, xri and signed xrd

John Bradley ve7jtb at ve7jtb.com
Sat Sep 12 16:26:08 UTC 2009 

Andrew Arnott started to port the XRI resolver to .NET.

The decision was made part way into the project to wait for the XRD  
1.0 spec and XRI 3.0 resolution.

For the GSA using XRI for whitelists, the discussion did happen.

Though it was more around white-lists for info-card.

We didn't want to introduce new xmldsig requirements for openID RPs  
that don't currently exist.

Once there is a XRD spec with dsig that is part of openID that can be  
revisited.

When the info-card profile comes out next week you will be able to see  
where we might take it in the future.

Though the infocard whitelist will be based on SAML meta-data rather  
than XRD for the moment.

I had hoped to do a distributed white-list for openID but that was a  
bridge too far for the first round.

A central whitelist was the practical choice, not the one we believed  
was best long term.

John B.

PS XRI 2.0 is not an oasis standard we lost the vote, I cant change  
that.

On 2009-09-12, at 10:34 AM, Peter Williams wrote:

> Addressing the weaknesses in openid discovery (XRI discovery, not  
> YADIS)
>
> 1.       Goto Google.com, and select the iGoogle home page. (…portal  
> page, now with gadgets…)
>
> 2.       Install http://www.freexri.com/tools/GoogleGadget/
>
> 3.       Use XRI gadget, type “@blog*lockbox” and tryout  
> “resolution” (see it popup a teaching window, and note I have a  
> certificate SEP registered for this “endpoint”)
>
> 4.       On teaching window, also tryout the SAML option to get a  
> signed XRD (choose resolve type “authority”)
>
> 5.       On teaching window, also tryout the SAML option with the  
> XRDS option, to get *multiple* signed XRD forming a chain of signed  
> assertions (choose resolve type “authority”)
>
> What is interesting here is that .gov could easily publish its  
> whitelist of OPs in such a form, rather than kludging up a root  
> registration authority. The XRD is signed on the fly (even though  
> the registered “cert” for the OP’s https endpoint is static). To  
> scale out the domain graph, there are chains…much as one has chains  
> of certs and x-certs in PKI-based domain management.
>
> If anyone has an XRI Resolution client in .NET, please let me know.  
> In security, having your own code interwork with your own code is  
> typically not a strong proof of anything.
>
>
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090912/c86b91d6/attachment.htm>

More information about the general mailing list