<html><head><base href="x-msg://1639/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">James,<div><br></div><div>If a site say IBM uses site-meta to map URL's to XRD there is nothing to stop them from giving an individual edit access to the XRD so they can map there services to wherever they like.</div><div><br></div><div>It makes it harder to have an exception for hosting a single XRD someplace else.</div><div><br></div><div>They can use link headers if they want to allow users to host there XRD at arbitrary locations.</div><div><br></div><div>However they would still need to sign the XRD if the subject is there URI and they are not using host-meta to delegate.</div><div><br></div><div>host-meta is about controlling where the XRD are and not about controlling the OP.</div><div>They are related but separate issues.</div><div><br></div><div>John B.</div><div><br><div><div>On 2009-10-27, at 4:09 AM, Manger, James H wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div lang="EN-AU" link="blue" vlink="purple"><div class="Section1"><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Dirk,<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">If a company gives total control of the contents of a set of URIs to staff members, then also wants to use those<span class="Apple-converted-space"> </span><b>same URIs</b><span class="Apple-converted-space"> </span>as controlled security-sensitive OpenID identifiers… then that is a disconnect that I doubt host-meta can or should try to paper over. Does any company do this?<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">If a company wants to control the OP it is trivial to offer official OpenID URIs for staff where staff have no control over their page (perhaps with the exception of a photo or blog link). Isn’t this how most major public OPs work today? It is well suited to entering “staff.example.com” at RPs, instead of a longer actual OpenID URI (say,<span class="Apple-converted-space"> </span><a href="http://staff.example.com/12345678" style="color: blue; text-decoration: underline; ">staff.example.com/12345678</a>).<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div><blockquote style="border-top-style: none; border-right-style: none; border-bottom-style: none; border-width: initial; border-color: initial; border-left-style: solid; border-left-color: rgb(204, 204, 204); border-left-width: 1pt; padding-top: 0cm; padding-right: 0cm; padding-bottom: 0cm; padding-left: 6pt; margin-left: 4.8pt; margin-right: 0cm; "><div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; color: rgb(31, 73, 125); ">>><span class="Apple-converted-space"> </span></span><span style="font-size: 11pt; color: rgb(31, 73, 125); ">It is probably more convenient for host-meta to be able to provide a default OP,</span><span style="font-size: 11pt; color: rgb(31, 73, 125); "><br>>></span><span style="font-size: 11pt; color: rgb(31, 73, 125); "><span class="Apple-converted-space"> </span>which can be overwritten for some special URIs.</span><span style="font-size: 11pt; color: rgb(31, 73, 125); "><o:p></o:p></span></div></div></div></blockquote><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: rgb(31, 73, 125); ">><span class="Apple-converted-space"> </span></span>You can do that under my proposal: You don't specify the OP in the host-meta.<span style="color: rgb(31, 73, 125); "><o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: rgb(31, 73, 125); ">></span><span class="Apple-converted-space"> </span>You use the Link-HTTP-header to point to the "default" XRD for most URIs<span style="color: rgb(31, 73, 125); "><o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">></span><span class="Apple-converted-space"> </span>(which in turn points to the "default" OP). You have some sort of process in which<span style="color: rgb(31, 73, 125); "><o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: rgb(31, 73, 125); ">></span><span class="Apple-converted-space"> </span>that Link-header can be set to point to a non-default XRD,<span style="color: rgb(31, 73, 125); "><o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">></span><span class="Apple-converted-space"> </span>which then points to a non-default OP. If a company/web site wants to do that, that's up to them.<o:p></o:p></div></div><div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><br><span style="color: rgb(31, 73, 125); ">Sure, you can do it by ditching host-meta and doing something a bit more complicated. It will be painful if a site starts with host-meta for all; then wants 1 exception; so they have to ditch host-meta and switch to Link headers for everyone. In other words you have to be absolutely sure you will never want any exceptions if you choose the host-meta option (and it has priority).<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: rgb(31, 73, 125); ">The scenarios where a high-priority host-meta helps security seem rarer than the scenarios where a low-priority host-meta aids deployment, maintains user-centricity (and is more backwards compatible with existing OpenID)… but perhaps I still like URIs as identifier too much ;-)<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">James Manger<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div></div></div></div>_______________________________________________<br>general mailing list<br><a href="mailto:general@lists.openid.net" style="color: blue; text-decoration: underline; ">general@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-general" style="color: blue; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-general</a><br></div></span></blockquote></div><br></div></body></html>