<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Yes a XRD can be used for identity. In that case it should be a signed XRD (with Subject)<div><br></div><div>However a XRD can be used to describe any resource (URI).</div><div><br></div><div>I may have a XRD that describes my site in the same way a robots.txt might.</div><div><br></div><div>It might be used to enable Identity in the browser by allowing browser plugins to discover the sites policy (see Flock and other IdIB projects)</div><div><br></div><div>It may be more practical for some sites to point to a single document that is authoritative for all of the URI on there site rather than forcing them to create individual XRD for each URI where it may not be necessary.</div><div><br></div><div>XRD supports both models. I know you want us to restrict implementers to a single model.</div><div><br></div><div>That is not the role of the XRI-TC if we don't support the use case people will crate there own hacks to get around the limitation.</div><div><br></div><div>I would oppose any vote in the TC to always require a Subject element in the XSD.</div><div><br></div><div>John B.</div><div><br></div><div>On 2009-10-21, at 2:37 PM, Santosh Rajan wrote:<div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Robots.txt's are unique to a specific resource. The scope of XRD's is larger than that. XRD's are not unique to individuals when used as indentities. Using a <Subject> is the only way you can differentiate XRD's belonging to the same individual or resource. Thats why i said we are comparing apples and oranges.<br>
<br><div class="gmail_quote">On Wed, Oct 21, 2009 at 10:24 PM, Ben Laurie <span dir="ltr"><<a href="mailto:benl@google.com">benl@google.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Wed, Oct 21, 2009 at 5:07 PM, Santosh Rajan <<a href="mailto:santrajan@gmail.com">santrajan@gmail.com</a>> wrote:<br>
> Comparing robots.txt with an XRD is like comparing "apples with oranges".<br>
> Can you do better than that? Cacheing robots.txt is not the same as cacheing<br>
> an XRD. I will explain.<br>
> If my browser wants to cache all my XRD's. This is a real possibility. I may<br>
> have XRD's at Google, Yahoo, Microsoft and "my own" host. The only way you<br>
> can differentiate between all these XRD's is if the XRD;'s have a <Subject>.<br>
<br>
</div>If we were defining robots.txt today, we might consider doing it as an<br>
XRD. So, it seems to me that the comparison is entirely fair.<br>
<div><div></div><div class="h5"><br>
><br>
> On Wed, Oct 21, 2009 at 9:28 PM, Breno de Medeiros <<a href="mailto:breno@google.com">breno@google.com</a>> wrote:<br>
>><br>
>> On Wed, Oct 21, 2009 at 8:47 AM, Santosh Rajan <<a href="mailto:santrajan@gmail.com">santrajan@gmail.com</a>><br>
>> wrote:<br>
>> > This is further to my post "Open Challenge to webfinger, XRD". The post<br>
>> > has<br>
>> > grown in all directions. So I would like to put my arguments in a<br>
>> > nutshell.<br>
>> ><br>
>> > The idea of an XRD without a Subject is unacceptable for the following<br>
>> > reasons.<br>
>> > 1) XRD without <Subject> is a security risk. If nothing, it makes life<br>
>> > easier for the "Man in the middle attacker".<br>
>><br>
>> Not necessarily all applications are security sensitive. Think about<br>
>> robots.txt. Does it have a Subject? No. Does it introduce security<br>
>> vulnerabilities? No. Is it metadata about something? Yes.<br>
>><br>
>> > 2) Cacheing of XRD's is thrown out of the window. You can't cache XRD's<br>
>> > without a <Subject>. I firmly believe that Cacheing of XRD's will be a<br>
>> > "BIG<br>
>> > THING". Applications "IN THE KNOW OF XRD's" will deifinitely like to<br>
>> > cache<br>
>> > XRD's. It will definitely speed up the discovery process.<br>
>><br>
>> No. Lack of a subject does not prevent anyone from caching robots.txt<br>
>> and will not prevent anyone from caching XRDs. Indeed, caching XRD<br>
>> works completely independent of the Subject. For instance, if a<br>
>> client follows a sequence of cacheable redirects and gets an XRD<br>
>> document, it should be able to retrieve the XRD from cache next time<br>
>> it discovers the same resource (regardless of whether the resource is<br>
>> also the Subject of the XRD, an Alias listed in the XRD or if the XRD<br>
>> has no Subject).<br>
>><br>
>> > 3) I am seeing the real possibility that applications will be developed<br>
>> > where users can "save" their XRD's locally. Further, users may be able<br>
>> > to to<br>
>> > upload their XRD's to sites that require it. All this will require a<br>
>> > <Subject>.<br>
>><br>
>> No, it doesn't. See robots.txt<br>
>><br>
>><br>
>><br>
>> --<br>
>> --Breno<br>
><br>
><br>
><br>
> --<br>
> <a href="http://hi.im/santosh" target="_blank">http://hi.im/santosh</a><br>
><br>
><br>
><br>
</div></div>> _______________________________________________<br>
> general mailing list<br>
> <a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
> <a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
><br>
><br>
</blockquote></div><br><br clear="all"><br>-- <br><a href="http://hi.im/santosh">http://hi.im/santosh</a><br><br><br>
</div>
_______________________________________________<br>general mailing list<br><a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-general<br></blockquote></div><br></div></body></html>