<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Don't think so.<div><br></div><div>Host-meta provides the template so that a resolver can find the XRD for the identifier. </div><div><br></div><div>That XRD (likely a user XRD) then provides links to related resources like the users OP.</div><div><br></div><div>Scope is required so that an entity that controls a DNS authority can say what protocols the host-meta XRD contains valid mappings for.</div><div><br></div><div>If there is a subject of a host-meta XRD it needs to relate to the DNS names or names in the SSL cert used to sign it.</div><div><br></div><div>I think there are two issues.</div><div>1 Authority (relates to signing keys)</div><div>2 what URI schemes and ports the XRD contains mappings for.</div><div><br></div><div>I think the latest drafts of WebFinger has them somewhat conflated.</div><div><br></div><div>My personal preference would be to use <Subject> for trust and some other elements to describe scope.</div><div><br></div><div>However mine is just one opinion.</div><div><br></div><div>No I don't think <Subject> needs to be required in XRD.</div><div><br></div><div>Regards</div><div>John B.</div><div><div><div>On 2009-10-27, at 1:10 AM, Santosh Rajan wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Hi John,<div>As you say the host-meta "provides a mapping from some identifier to a XRD for that identifier". This is true in the larger context.</div><div><br></div><div>However it is important to remember that it is not the "host-meta" itself that is doing the mapping. There is another application pointed to by the <URITemplate> that is actually doing the mapping.</div>
<div><br></div><div>So strictly speaking the host-meta "provides a mapping from an identifier to its resolver".</div><div><br></div><div>The host-meta is itself not doing the resolution, hence the host-meta need not be concerned with the resolution. Therefore it follows that the host-meta need not be concerned with the "scheme".</div>
<div><br></div><div>The whole "Scope" story is not required at all in this case.</div><div><br></div><div>In which case the <Subject> is required. The issue is then how you want to describe the Subject. "dns:<a href="http://example.com/">example.com</a>" should be good enough in this case.</div>
<div><br><br><div class="gmail_quote">On Tue, Oct 27, 2009 at 6:01 AM, John Bradley <span dir="ltr"><<a href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div style="word-wrap:break-word">Host-meta doesn't provide the OP.<div><br></div><div>It provides a mapping from some identifier to a XRD for that identifier.</div><div><br></div><div>It is the target XRD for the user that specifies the OP.</div>
<div><br></div><div>Link link-headders can also provide the location of the XRD if you are using HTTP or another protocol that supports them.</div><div><br></div><div>host-meta is an additional way to map identifiers to XRD for things like email, or in cases where the site cant or just doesn't want to use link-headders. </div>
<div><br></div><div>Link-headder is the replacement for the X-XRDS-Location custom header we were using in Yadis.</div><div><br></div><div>John B.<br><div><div><div></div><div class="h5"><div>On 2009-10-26, at 8:28 PM, Manger, James H wrote:</div>
<br></div></div><blockquote type="cite"><span style="border-collapse:separate;font-family:Helvetica;font-size:medium;font-style:normal;font-variant:normal;font-weight:normal;letter-spacing:normal;line-height:normal;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div lang="EN-AU" link="blue" vlink="purple">
<div><div></div><div class="h5"><div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0.0001pt;margin-left:0cm;font-size:12pt;font-family:'Times New Roman', serif"><span style="font-size:11pt;font-family:Calibri, sans-serif;color:rgb(31, 73, 125)">Dirk,</span></div>
<div style="margin-top:0cm;margin-right:0cm;margin-bottom:0.0001pt;margin-left:0cm;font-size:12pt;font-family:'Times New Roman', serif"><span style="font-size:11pt;font-family:Calibri, sans-serif;color:rgb(31, 73, 125)"> </span></div>
<div style="margin-top:0cm;margin-right:0cm;margin-bottom:0.0001pt;margin-left:0cm;font-size:12pt;font-family:'Times New Roman', serif"><span style="font-size:11pt;font-family:Calibri, sans-serif;color:rgb(31, 73, 125)">I don’t think your IBM example is a very convincing argument for host-meta to take precedence over an actual OpenID URI. Listing an OP in host-meta may be a bit easier for an IBM IT admin than preventing links to OPs from other URIs — but the latter is quite feasible (rules in the page editing tool; filter in web server; validator on page changes; background script to look in the file system for this specific situation…). Even a non-technical corporate policy saying staff must not specify another OP goes some way to meeting the objective.</span></div>
<div style="margin-top:0cm;margin-right:0cm;margin-bottom:0.0001pt;margin-left:0cm;font-size:12pt;font-family:'Times New Roman', serif"><span style="font-size:11pt;font-family:Calibri, sans-serif;color:rgb(31, 73, 125)"> </span></div>
<div style="margin-top:0cm;margin-right:0cm;margin-bottom:0.0001pt;margin-left:0cm;font-size:12pt;font-family:'Times New Roman', serif"><span style="font-size:11pt;font-family:Calibri, sans-serif;color:rgb(31, 73, 125)">It is probably more convenient for host-meta to be able to provide a default OP, which can be overwritten for some special URIs. Most OpenID URIs on a host don’t specify an OP so they fallback to host-meta, but a few can use a different OP (for non-humans, for contractors, for testing, for migrating to a new OP implementation, for staff with a different hardware login token…).</span></div>
<div style="margin-top:0cm;margin-right:0cm;margin-bottom:0.0001pt;margin-left:0cm;font-size:12pt;font-family:'Times New Roman', serif"><span style="font-size:11pt;font-family:Calibri, sans-serif;color:rgb(31, 73, 125)"> </span></div>
<div style="margin-top:0cm;margin-right:0cm;margin-bottom:0.0001pt;margin-left:0cm;font-size:12pt;font-family:'Times New Roman', serif"><span style="font-size:11pt;font-family:Calibri, sans-serif;color:rgb(31, 73, 125)"> </span></div>
<div style="margin-top:0cm;margin-right:0cm;margin-bottom:0.0001pt;margin-left:0cm;font-size:12pt;font-family:'Times New Roman', serif"><b><span lang="FR" style="font-family:Arial, sans-serif;color:rgb(31, 73, 125)">James Manger</span></b><span style="color:rgb(31, 73, 125)"><span> </span><br>
<a href="mailto:James.H.Manger@team.telstra.com" style="color:blue;text-decoration:underline" target="_blank"><span lang="FR" style="font-size:10pt;font-family:Arial, sans-serif">James.H.Manger@team.telstra.com</span></a><span> </span><br>
</span><span style="font-size:10pt;font-family:Arial, sans-serif;color:rgb(31, 73, 125)">Identity and security team</span><span style="color:rgb(31, 73, 125)"><span> </span></span><span style="font-size:10pt;font-family:Tahoma, sans-serif;color:rgb(31, 73, 125)">—</span><span style="font-size:10pt;font-family:Arial, sans-serif;color:rgb(31, 73, 125)"><span> </span>Chief Technology Office</span><span style="color:rgb(31, 73, 125)"><span> </span></span><span style="font-size:10pt;font-family:Tahoma, sans-serif;color:rgb(31, 73, 125)">—</span><span style="font-size:10pt;font-family:Arial, sans-serif;color:rgb(31, 73, 125)"><span> </span>Telstra</span><span style="color:rgb(31, 73, 125)"></span></div>
<div style="margin-top:0cm;margin-right:0cm;margin-bottom:0.0001pt;margin-left:0cm;font-size:12pt;font-family:'Times New Roman', serif"><span style="font-size:11pt;font-family:Calibri, sans-serif;color:rgb(31, 73, 125)"> </span></div>
<div style="border-right-style:none;border-bottom-style:none;border-left-style:none;border-width:initial;border-color:initial;border-top-style:solid;border-top-color:rgb(181, 196, 223);border-top-width:1pt;padding-top:3pt;padding-right:0cm;padding-bottom:0cm;padding-left:0cm">
<div style="margin-top:0cm;margin-right:0cm;margin-bottom:0.0001pt;margin-left:0cm;font-size:12pt;font-family:'Times New Roman', serif"><b><span lang="EN-US" style="font-size:10pt;font-family:Tahoma, sans-serif">From:</span></b><span lang="EN-US" style="font-size:10pt;font-family:Tahoma, sans-serif"><span> </span><a href="mailto:openid-general-bounces@lists.openid.net" style="color:blue;text-decoration:underline" target="_blank">openid-general-bounces@lists.openid.net</a><span> </span>[mailto:<a href="mailto:openid-general-bounces@lists.openid.net" target="_blank">openid-general-bounces@lists.openid.net</a>]<span> </span><b>On Behalf Of<span> </span></b>Dirk Balfanz<br>
<b>Sent:</b><span> </span>Tuesday, 27 October 2009 7:51 AM<br><b>To:</b><span> </span>Peter Williams<br><b>Cc:</b><span> </span><a href="mailto:general@openid.net" style="color:blue;text-decoration:underline" target="_blank">general@openid.net</a><br>
<b>Subject:</b><span> </span>Re: [OpenID] user centric delegation vs portability: LRDD : competing threats: the consumer's fear hypothesis</span></div></div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0.0001pt;margin-left:0cm;font-size:12pt;font-family:'Times New Roman', serif">
</div><div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0.0001pt;margin-left:0cm;font-size:12pt;font-family:'Times New Roman', serif"><span style="color:rgb(31, 73, 125)">…</span>If you have your own domain, you can pick (and change) your identity provider. But if you're one of 300,000 IBM employees, there are certain things you can't pick about your work account - you can't pick your email provider, you can't pick your calendaring software, and you can't presumably pick your identity provider - professionals at IBM who get paid to worry about this stuff will pick one for you that they are reasonably sure will not, say, put into jeopardy the 401k accounts of the combined IBM workforce (because, hypothetically speaking, IBM uses OpenID to log their employees into<span> </span><a href="http://fidelity.com/" style="color:blue;text-decoration:underline" target="_blank">fidelity.com</a>). </div>
</div><div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0.0001pt;margin-left:0cm;font-size:12pt;font-family:'Times New Roman', serif"> </div></div><div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0.0001pt;margin-left:0cm;font-size:12pt;font-family:'Times New Roman', serif">
We need a single sign-on solution for the Web that works both for Blogger/Facebook/consumer use case as well as the IBM use case.</div></div><div><div style="margin-top:0cm;margin-right:0cm;margin-bottom:0.0001pt;margin-left:0cm;font-size:12pt;font-family:'Times New Roman', serif">
<br>Dirk.</div></div></div></div></div><div class="im">_______________________________________________<br>general mailing list<br><a href="mailto:general@lists.openid.net" style="color:blue;text-decoration:underline" target="_blank">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" style="color:blue;text-decoration:underline" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br></div></div></span></blockquote>
</div><br></div></div><br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-general" target="_blank">http://lists.openid.net/mailman/listinfo/openid-general</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><a href="http://hi.im/santosh">http://hi.im/santosh</a><br><br><br>
</div>
</blockquote></div><br></div></body></html>