<html><head><base href="x-msg://85/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Andrew Arnott started to port the XRI resolver to .NET. <div><br></div><div>The decision was made part way into the project to wait for the XRD 1.0 spec and XRI 3.0 resolution.</div><div><br></div><div>For the GSA using XRI for whitelists, the discussion did happen. </div><div><br></div><div>Though it was more around white-lists for info-card.</div><div><br></div><div>We didn't want to introduce new xmldsig requirements for openID RPs that don't currently exist.</div><div><br></div><div>Once there is a XRD spec with dsig that is part of openID that can be revisited.</div><div><br></div><div>When the info-card profile comes out next week you will be able to see where we might take it in the future.</div><div><br></div><div>Though the infocard whitelist will be based on SAML meta-data rather than XRD for the moment.</div><div><br></div><div>I had hoped to do a distributed white-list for openID but that was a bridge too far for the first round.</div><div><br></div><div>A central whitelist was the practical choice, not the one we believed was best long term.</div><div><br></div><div>John B.</div><div><br></div><div>PS XRI 2.0 is not an oasis standard we lost the vote, I cant change that. </div><div><br><div><div>On 2009-09-12, at 10:34 AM, Peter Williams wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div lang="EN-US" link="blue" vlink="purple"><div class="Section1"><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; ">Addressing the weaknesses in openid discovery (XRI discovery, not YADIS)<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; text-indent: -0.25in; "><span>1.<span style="font: normal normal normal 7pt/normal 'Times New Roman'; "> <span class="Apple-converted-space"> </span></span></span>Goto<span class="Apple-converted-space"> </span><a href="http://Google.com" style="color: blue; text-decoration: underline; ">Google.com</a>, and select the iGoogle home page. (…portal page, now with gadgets…)<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; text-indent: -0.25in; "><span>2.<span style="font: normal normal normal 7pt/normal 'Times New Roman'; "> <span class="Apple-converted-space"> </span></span></span>Install<span class="Apple-converted-space"> </span><a href="http://www.freexri.com/tools/GoogleGadget/" style="color: blue; text-decoration: underline; ">http://www.freexri.com/tools/GoogleGadget/</a><o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; text-indent: -0.25in; "><span>3.<span style="font: normal normal normal 7pt/normal 'Times New Roman'; "> <span class="Apple-converted-space"> </span></span></span>Use XRI gadget, type “@blog*lockbox” and tryout “resolution” (see it popup a teaching window, and note I have a certificate SEP registered for this “endpoint”)<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; text-indent: -0.25in; "><span>4.<span style="font: normal normal normal 7pt/normal 'Times New Roman'; "> <span class="Apple-converted-space"> </span></span></span>On teaching window, also tryout the SAML option to get a signed XRD (choose resolve type “authority”)<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; text-indent: -0.25in; "><span>5.<span style="font: normal normal normal 7pt/normal 'Times New Roman'; "> <span class="Apple-converted-space"> </span></span></span>On teaching window, also tryout the SAML option with the XRDS option, to get *multiple* signed XRD forming a chain of signed assertions (choose resolve type “authority”)<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; ">What is interesting here is that .gov could easily publish its whitelist of OPs in such a form, rather than kludging up a root registration authority. The XRD is signed on the fly (even though the registered “cert” for the OP’s https endpoint is static). To scale out the domain graph, there are chains…much as one has chains of certs and x-certs in PKI-based domain management.<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.5in; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; ">If anyone has an XRI Resolution client in .NET, please let me know. In security, having your own code interwork with your own code is typically not a strong proof of anything.<o:p></o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.25in; font-size: 11pt; font-family: Calibri, sans-serif; "><o:p> </o:p></div></div>_______________________________________________<br>general mailing list<br><a href="mailto:general@lists.openid.net" style="color: blue; text-decoration: underline; ">general@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-general" style="color: blue; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-general</a><br></div></span></blockquote></div><br></div></body></html>