<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{mso-style-priority:99;
mso-style-link:"Plain Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.5pt;
font-family:Consolas;}
span.PlainTextChar
{mso-style-name:"Plain Text Char";
mso-style-priority:99;
mso-style-link:"Plain Text";
font-family:Consolas;}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText>-----Original Message-----<br>
From: hjs@bblfish.net [mailto:hjs@bblfish.net] On Behalf Of Story Henry<br>
Sent: Sunday, August 30, 2009 9:50 AM<br>
To: Peter Williams<br>
Cc: openid-general@lists.openid.net; John Bradley<br>
Subject: Re: [OpenID] Windows Live ID OpenID CTP Status Update (August 2009)</p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>On 30 Aug 2009, at 17:28, Peter
Williams wrote:<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>> I took my counsel on
fragments from
http://java.sun.com/javase/6/docs/api/java/net/URL.html?is-external=true<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>> "This fragment is not
technically part of the URL. []"<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>That is sleight of hand in the Java
documentation. That Java<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>documentation is not
authoritative on the meaning of URLs. That's an<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'>implementors point of view. :-)<o:p></o:p></p>
<p class=MsoPlainText style='margin-left:.5in'><o:p> </o:p></p>
<p class=MsoPlainText><o:p> </o:p></p>
<p class=MsoPlainText><span style='color:black'>Not that it’s too
relevant since we got to the more important architectural points ore relevant
to openid, but the java doc is entirely supported by the (older) RFC on URLs that
it references, which says the same thing.<o:p></o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'>The ref’s syntax is
necessarily resource-defined, and the UA should parse it according to the
dictates of the media type sent along with the retrieved file. If the foaf
stream at a webid s delivered under a mime type with suitable qualifier (e.g. text/foaf+rdf;webid=true
) the UA (which of course is the OP’s or RP’s SSL server) can know
to parse out the fragment ref of the non absolute URI part of the webid,
thereby determining from the cert a hash component. From existing knowhow I
have, I know its trivial to take the apache xml dsig resolver for digesting http
references, subclass the resolver to de-reference the webid, and ensure its
digest is equal not to the digest values in the xml dsig block now but to the
hash component on the webid (after parsing the fragment, to suit the profile)!<o:p></o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'>Hardly very semweb, I agree; but
then semweb reasoning doesn’t address ssl. And, here we are using SSL not
only as a transport but as a signaling mechanism for the public key id.<o:p></o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'>To the lexer, a fragment’s
tag (ref/reference) is also apparently a *uric - which charset apparently includes
hash (not that this choice of separator is exactly critical!)<o:p></o:p></span></p>
<p class=MsoPlainText><span style='color:black'><o:p> </o:p></span></p>
<p class=MsoPlainText><span style='color:black'>I believe I saw that your project
allows source programmers to take an SSL server implementation, add it to
tomcat listener/server, and then “extend SSL”. If this is true, I’ll
have a go – since I have a certain familiarity with the insides of the SSL
protocol. I think this is all within my prototyping capabilities. I completed
adding signed XRD chains to the XRI server last month, which got me over 10 years
laziness/avoidance-of anything to do with Java enterprise systems. Java on the
server side is seeming all rather cute (now someone _<i>else</i>_ has made it
mature).<o:p></o:p></span></p>
</div>
</body>
</html>