<br><br><div class="gmail_quote">On Mon, Jul 13, 2009 at 11:16 PM, Manger, James H <span dir="ltr"><<a href="mailto:James.H.Manger@team.telstra.com">James.H.Manger@team.telstra.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div lang="EN-AU" link="blue" vlink="purple">
<div>
<p>It is good to see Google trying new ideas with OpenID, such as their proof-of-concept for an OpenID Provider for Google hosted domains (<a href="https://sites.google.com/site/oauthgoog/fedlogininterp/openiddiscovery" target="_blank">https://sites.google.com/site/oauthgoog/fedlogininterp/openiddiscovery</a>).</p>
<p> </p>
<p>The protocol documentation offers a Google URI for starting discovery about a hosted domain. That is, start at
<a href="https://www.google.com/accounts/o8/host-meta?hd=example.com" target="_blank">https://www.google.com/accounts/o8/host-meta?hd=example.com</a> to discovery the OpenID details for an <a href="http://example.com" target="_blank">example.com</a> user (by getting a pointer to an XRDS doc that contains an OP URI to send
an auth request to).</p>
<p> </p>
<p>This doesn’t scale. If Google, Yahoo, Microsoft, Xxx, Yyy… all ran OPs for hosted domains then an RP would have to try many discovery requests (and each RP would try a different subset).</p></div></div></blockquote><div>
You could solve that, as anything in computer science, with <a href="http://sites.google.com/site/oauthgoog/Home/pds">an additional level of indirection</a>, i.e., have a service that tells the RP which service is hosting the user's OP. Alternatively, domains will hopefully be serving their own host-metas, so there may or may not be a need for hosting host-metas.</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div lang="EN-AU" link="blue" vlink="purple"><div><p></p>
<p>This is probably not secure. Google could lie that is was the OP for a domain that it did not host (though I assume this is unlikely).</p></div></div></blockquote><div>Actually, one of the points of this exercise was to make it _more_ secure than Yadis discovery. The host-meta is simply used as a hint as to where you might find the site's signed XRD(S) document. If the host-meta points you to the wrong place, chances are the thing it points you to doesn't have the signature it needs to satisfy the resolver.</div>
<div><br></div><div>Dirk.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div lang="EN-AU" link="blue" vlink="purple"><div><p></p>
<p> </p>
<p>Perhaps Google URIs for other domains host-meta files are only a temporary hack for a demo.</p>
<p>Alternatively, there might be a significant number of groups who would like to use a hosted OP, but for whom it is still quite awkward to add even a single host-meta file to their web server.</p>
<p> </p>
<p>Q. Are the Google host-meta URIs a temporary hack for a demo, or a required feature for OpenID adoption?</p>
<p>Q. Will the reported changes to JanRain’s RPX service to support the Google proof-of-concept mean that the Google URIs for host-meta are used by production RPs (such as Sears)?</p>
<p> </p>
<p> </p>
<p>P.S. The protocol doc mentions <a href="http://example.com/.well-known/host-meta" target="_blank">
http://example.com/.well-known/host-meta</a> and <a href="http://example.com/host-meta" target="_blank">
http://example.com/host-meta</a> (for IdP and user discovery respectively. I guess one of these is a typo.</p>
<p> </p>
<p> </p>
<p><b><span lang="FR" style="font-size:12.0pt">James Manger</span></b><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
<br>
<a href="mailto:James.H.Manger@team.telstra.com" target="_blank"><span lang="FR" style="font-size:10.0pt;color:blue">James.H.Manger@team.telstra.com</span></a>
<br>
</span><span style="font-size:10.0pt">Identity and security team</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
</span><span style="font-size:10.0pt">—</span><span style="font-size:10.0pt"> Chief Technology Office</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
</span><span style="font-size:10.0pt">—</span><span style="font-size:10.0pt"> Telstra</span><span style="font-size:12.0pt;font-family:"Times New Roman","serif"">
</span></p>
</div>
</div>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br>