<HTML dir=ltr><HEAD></HEAD>
<BODY>
<DIV id=idOWAReplyText38897 dir=ltr>
<DIV dir=ltr><FONT face=Arial>Noah</FONT></DIV></DIV>
<DIV id=idSignature90258>
<DIV><FONT face=Arial></FONT> </DIV>
<DIV><FONT face=Arial>Ive managed to finally use all my (deliberately consumer-grade) infrastructure to actually hopefully construct the scenario under discussion. Ive also got an implemnetation issue which requires the type of analysis underway in this thread.</FONT></DIV>
<DIV><FONT face=Arial></FONT> </DIV>
<DIV><FONT face=Arial>I've configured various mapping onto http and (xri.net mapped) xri-based URIs, for what I understand to be the intended cases - and typical use cases - of OpenID discovery.</FONT> (So far, I've not touched XRDS or HTML metadata based delegation.)</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Unsed by anything</DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV>lockxri.homepw.org has a TXT record with value @freeid*lockbox</DIV></BLOCKQUOTE>
<DIV> </DIV>
<DIV>Namespace redirects</DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV>freelock.homepw.org get a DNS HTTP Redirect to <A href="http://xri.net/@freeid*lockbox" target=_blank>http://xri.net/@freeid*lockbox</A></DIV>
<DIV>lockbox.homepw.org gets a DNS HTTP Redirect to <A href="http://rapattoni.trustbearer.com/lockbox" target=_blank>http://rapattoni.trustbearer.com/lockbox</A></DIV></BLOCKQUOTE>
<DIV><FONT face=Arial>CNAME delegations</FONT></DIV>
<BLOCKQUOTE dir=ltr style="MARGIN-RIGHT: 0px">
<DIV><FONT face=Arial>op.homepw.org is delegated to myopenid.com</FONT></DIV>
<DIV><FONT face=Arial>homepw.op.homepw.org is mapped explicitely to homepw.myopenid.com</FONT></DIV></BLOCKQUOTE></DIV>
<DIV><FONT face=Arial></FONT> </DIV>
<DIV>
<DIV><FONT face=Arial>Typing "lockbox.homepw.org" into </FONT><A href="http://rapattoni.trustbearer.com/consumer" target=_blank><FONT face=Arial>http://rapattoni.trustbearer.com/consumer</FONT></A><FONT face=Arial> pings 1 of the several OPs that said consumer webapp de/multiplexes, based currently on the namespace+domainname of the Redirect URI.</FONT></DIV>
<DIV><FONT face=Arial></FONT> </DIV>
<DIV><FONT face=Arial>Most able user can easily type "lockbox.X" per the UI model of OpenID- which DNS + OpenID rules for normalization maps to </FONT><A href="http://y/lockbox" target=_blank><FONT face=Arial><A href="http://y/lockbox/" target=_blank>http://Y/lockbox</FONT></A>/</A><FONT face=Arial>. Im assuming DNS is partially trusted to map X bascially to Y using a DNS-based HTTP redirect, of which there are several X<->Y mappings in my demultiplexing scheme.</FONT></DIV></DIV>
<DIV>
<DIV><FONT face=Arial></FONT> </DIV>
<DIV><FONT face=Arial>In my abnormal OP implementation, </FONT><A href="http://y/" target=_blank><FONT face=Arial>http://Y</FONT></A><FONT face=Arial> is the SAMLentityName that I use as the back end locator(s) addressing particular SAML server(s) and the SAML entityIDs associated with each OP-Identifer -- where each entity implements particular security controls associated with each of my several OPs. (Im thinking of creating the convention that <A href="x-excid://41180000/uri:http://xri.net/@freeid*lockbox" target=_blank><FONT face=Arial>http://xri.net/@freeid</FONT></A> would be an example of the form of the SAML entityName, when an organizational HXRI is recognised). </FONT></DIV>
<DIV><FONT face=Arial></FONT> </DIV>
<DIV><FONT face=Arial>Lets note that its not the OP webapp that is engaging in redirects. Its DNS, configured by parties other than the OP admin.</FONT></DIV>
<DIV><FONT face=Arial></FONT> </DIV>
<DIV><FONT face=Arial>Now, if I follow your argument (and my HTTP spec skills *are* limited), if the redirect from DNS was subsequently further redirected into a 303 See Other, then since freelock.homepw.org is initially mapped onto <A href="http://xri.net/@freeid*lockbox" target=_blank>http://xri.net/@freeid*lockbox</A> which could ten be 303 mapped to <A href="http://xri.net/@blog*lockbox" target=_blank><FONT face=Arial>http://xri.net/@blog*lockbox</FONT></A>, my demultiplexor should use an entity name of <A href="x-excid://41180000/uri:http://xri.net/@freeid*lockbox" target=_blank><FONT face=Arial>http://xri.net/@freeid*lockbox</FONT></A><FONT face=Arial> when being conforming with HTTP semantics. If I undersatnd John right, the OpenID identity in my auth request should be <A href="http://xri.net/@blog*lockbox" target=_blank><FONT face=Arial>http://xri.net/@blog*lockbox</FONT></A><FONT face=Arial> </FONT></FONT></FONT></DIV>
<DIV><FONT face=Arial></FONT> </DIV>
<DIV><FONT face=Arial>Now, unike claimed ID fields, my use of DNS/Redirects to map openid constructs to saml entity names is not controlled by the OpenID standard. I choose what happens. I can choose HTTP compliance, being a local implementation matter.</FONT></DIV>
<DIV><FONT face=Arial></FONT> </DIV>
<DIV><FONT face=Arial>Have I got the right mental model for handling the 303 in my private discovery process, if I choose conforming/compliant behaviour?</FONT></DIV>
<DIV><FONT face=Arial></FONT> </DIV>
<DIV><FONT face=Arial>peter.</FONT></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>
<HR tabIndex=-1>
</DIV>
<DIV><FONT face=Tahoma size=2><B>From:</B> Noah Slater<BR><B>Sent:</B> Mon 3/17/2008 10:41 AM<BR><B>To:</B> Drummond Reed<BR><B>Cc:</B> general@openid.net<BR><B>Subject:</B> Re: [OpenID] Calling OpenID 2.0editors(wasRE:ProblemswithOpenIDand TAG httpRange-14)<BR></FONT><BR></DIV></DIV>
<DIV><PRE style="WORD-WRAP: break-word">On Fri, Mar 14, 2008 at 05:17:47PM -0700, Drummond Reed wrote:
> Again, you can no more require relationships between identifiers at the
> abstract OpenID level to follow the relationships of identifiers at the HTTP
> layer than you can require relationships between identifiers at the HTTP
> level to follow the relationships of identifiers at the TCP/IP layer.
This is misleading for several reasons.
OpenID, as I understand it, violates HTTP semantics.
HTTP does not violate any of the TCP/IP semantics.
Where OpenID uses URIs it should obey the semantics all the way down.
Calling the URI concrete at one level and abstract at another level is a nice
way to explain the conceptual difference you perceive but it is not a magic
ticket that makes violation of HTTP any more appetising.
--
Noah Slater <http://bytesexual.org/>
_______________________________________________
general mailing list
general@openid.net
http://openid.net/mailman/listinfo/general
</PRE></DIV></BODY></HTML>