<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoPlainText style='margin-left:.5in'>-----Original Message-----<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>From: general-bounces@openid.net
[mailto:general-bounces@openid.net] On Behalf Of Drummond Reed<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>Sent: Friday, October 10, 2008
12:18 PM<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>To: 'Peter Watkins'; 'Allen Tom'<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>Cc: 'openid-general General'<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>Subject: Re: [OpenID] Yahoo
OpenID UX Study<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>It's one of the key security
advantages of XRIs -- the other is automatic<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>pairing with a canonical
persistent XRI i-number to prevent OpenID recycling<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>and support lifetime synonym
management.<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>=Drummond<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>Note: http://xml.coverpages.org/Cantor-SAML-v20-MetadataInteroperabilityProfile-WD01.pdf<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>The missive outlines the role of metadata (quite generally,
if you dump the SAML-specific orientation) as a trust fabric, and proposes the
"elimination of PKI" from that role.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>One could see XRDS files/responses addressing some of the
same ideas, in a convergence effort between saml/cardspace/openid.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>After all, <o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>1. XRDS files are just metadata, static or dynamic (in
the XRI case).<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>2. YADIS is just an access protocol for static metadata
(and the embodiment of the notions that OP/RP interworking will "rely
on" and be "dependent on" metadata). Native XRI - or its HXRI proxied
variant - is just a [rather more intelligent] access protocol, at the end of
the day.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>It seems that the OpenID Community is currently heading exactly
the opposite way to that proposed in the metadata missive to the OASIS WG - despite
being far more reliant on metadata-based controls than is the SAML community,
in practice. As an example of that contrast, OpenID standards and guidance seem
to be increasingly reliant on https and be increasingly dependent on its (usually
PKI-based) trust model … and … the associated governance
structures that come along with a (VeriSign) PKI: the CPS-based legal
warranties and their associated financial assurances.<o:p></o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
</div>
</body>
</html>