<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">For the signed XRD trust model the Subject must be explicit.<div><br></div><div>I am hoping that for openID we opt to use an appropriate trust model that involves signatures.</div><div><br></div><div>The XRD without a subject is essentially the status quo. </div><div><br></div><div>Without signed XRD you have to trust entirely in session security, and at that point if someone can hijack the session they can easily fake the Subject.</div><div><br></div><div>While I happen to agree that for the most part XRD without subjects (like all of the Yadis XRDS documents currently used) are not ideal from a security point of view, however it is not up to the XRD spec to preclude them.</div><div><br></div><div>I can only hope to see the openID community adopt signed XRD as a more secure option to what we currently have with Yadis.</div><div><br></div><div>John B.</div><div><br></div><div><br><div><div>On 2009-10-20, at 11:17 AM, Santosh Rajan wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">So now I want to post my grouse no (2) with XRD. The idea that the <Subject> of an XRD can be implicit or "0" is a BAD BAD BAD Idea!! Sorry Dirk for the Caps and exclamations. I will list out the reasons.<div>
<br></div><div>1) XRD without <Subject> is a security risk. If nothing, it makes life easier for the "Man in the middle attacker".</div><div>2) Cacheing of XRD's is thrown out of the window. You can't cache XRD's without a <Subject>. I firmly believe that Cacheing of XRD's will be a "BIG THING". Applications "IN THE KNOW OF XRD's" will deifinitely like to cache XRD's. It will definitely speed up the discovery process.</div>
<div>3) The whole idea of millions/billions XRD's flying around the WWW like "headless chicken" (without subject) is giving me nightmares.</div><div><br></div><div>The <Subject> MUST be made mandatory for every XRD.</div>
<div><br><div class="gmail_quote">On Tue, Oct 20, 2009 at 2:26 AM, Breno de Medeiros <span dir="ltr"><<a href="mailto:breno@google.com">breno@google.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
The subject of an XRD is implicitly the URI of the resource that was<br>
discovered and resulted in this XRD being returned as its metadata. So<br>
in general Subject is not needed.<br>
<br>
When the same metadata applies to multiple URIs then one can be the<br>
Subject and others can be Aliases.<br>
<br>
Another use for Subject is for the XRD signature. A sound trust model<br>
needs to validate the binding of subject and metadata in the<br>
signature, so Subject should always be present in signed documents,<br>
unless the application defines other means to bind the metadata and<br>
resource in a verifiable way.<br>
<font color="#888888"><br>
<br>
--<br>
--Breno<br>
<br>
+1 (650) 214-1007 desk<br>
+1 (408) 212-0135 (Grand Central)<br>
MTV-41-3 : 383-A<br>
PST (GMT-8) / PDT(GMT-7)<br>
</font></blockquote></div><br><br clear="all"><br>-- <br><a href="http://hi.im/santosh">http://hi.im/santosh</a><br><br><br>
</div>
_______________________________________________<br>general mailing list<br><a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-general<br></blockquote></div><br></div></body></html>