<html><head><base href="x-msg://1639/"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I don't think openID will look in the host-meta for the OP. <div><br></div><div>I suppose that it could but that would defiantly not be user centric behaviour.</div><div><br></div><div>Users don't enter a host-meta identifier. It is used as one of the ways to discover the XRD for an identifier.</div><div><br></div><div>It is not a XRD for the identifier itself.</div><div><br></div><div>In the case of <a href="http://example.com">example.com</a> if I want to find the XRD for <a href="https://example.com">https://example.com</a> (say it is used as a OP identifier for directed identity) and <a href="http://example.com">example.com</a> doesn't want to use link headers for some reason.</div><div><br></div><div>The resolver first retrieves host-mata from the well known location.</div><div><br></div><div>It retrieves it via https or verifies the signature of the XRD.</div><div><br></div><div>(Yes Santosh if the XRD had dns:example.com as the subject that would work to verify it)</div><div><br></div><div>The resolver then determines if the XRD's scope includes https.</div><div><br></div><div>If it is in scope the resolver uses the matching template for the scheme + host + port with <a href="https://example.com">https://example.com</a> as the input and produces the new URI where the XRD for <a href="https://example.com">https://example.com</a> can be retrieved from.</div><div><br></div><div>It could be <a href="http://bar.com/xrd/example.com">http://bar.com/xrd/example.com</a> or anything else for that matter.</div><div><br></div><div>It is the Links in that XRD that control who the OP is.</div><div><br></div><div>There are lurking questions about if a XRD retrieved over http can be authoritative for schemes other than the one it was retrieved via.</div><div><br></div><div>My contention is that the subject (it may not be called that) of the XRD is the subject of the SSL certificate that is signing it.</div><div><br></div><div>The XRD should be self standing. This is important if you want it to be able to map identifiers that don't have there own transport protocol that can return a document. I would class email addresses as that. Yes you could modify SMTP but you don't want to.</div><div><br></div><div>I prefer to think of host-meta as being part of the X.509 trust chain that can delegate trust to down stream XRD rather than something that is rooted directly in the URI authority<font class="Apple-style-span" color="#000000" size="3"><span class="Apple-style-span" style="background-color: transparent; font-size: 12px;"> </span></font><span class="Apple-style-span" style="border-collapse: collapse; white-space: pre; -webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; "><font class="Apple-style-span" color="#000000" size="3"><span class="Apple-style-span" style="background-color: transparent; font-size: 12px;">hierarchy</span></font></span><font class="Apple-style-span" color="#000000" size="3"><span class="Apple-style-span" style="background-color: transparent; font-size: 12px;">.</span></font></div><div><br></div><div>The discussion is ongoing. My opinion may well not be the majority one at the end of the day.</div><div><br></div><div>John B.</div><div><br></div><div><div><div>On 2009-10-27, at 9:49 PM, Manger, James H wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div lang="EN-AU" link="blue" vlink="purple" style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div class="Section1"><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">John,<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: rgb(31, 73, 125); ">><span class="Apple-converted-space"> </span></span>Host-meta doesn't provide the OP.<o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: rgb(31, 73, 125); ">><span class="Apple-converted-space"> </span></span>It provides a mapping from some identifier to a XRD for that identifier.<o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: rgb(31, 73, 125); ">><span class="Apple-converted-space"> </span></span>It is the target XRD for the user that specifies the OP.<o:p></o:p></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Thanks for reminding me of the extra layer of indirection.<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">That does mean a solution where host-meta takes precedence still has some flexibility to handle, say, a different OP for just a few special OpenID URIs on a site.<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">Host-meta now uses the XRD syntax. It no longer just looks like a mapping from identifiers to the metadata (XRD) for each identifier. It now looks like common metadata (XRD) for a host of identifiers, optionally with a reference to more identifier-specific metadata (XRD).<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">If host-meta can say: the ‘describedby’ link for all URIs at this host is xyz; why shouldn’t it say the ‘openid2.provider’ link for all URIs at this host is abc?<span class="Apple-converted-space"> </span></span><span style="font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">The semantics seem to work, as long as RPs are looking for this relation in host-meta.<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">A ‘describedby’ link in an XRD looks like an app-layer version of an HTTP redirect: you can have 0, 1, or more of them. [Perhaps an “@import url(…)” statement in a cascading stylesheet is a better analogy, as it also has issues of merging data from various sources.]<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-family: Calibri, sans-serif; color: rgb(31, 73, 125); ">I guess a higher layer, like OpenID, might choose to mandate that “there MUST be exactly 1 level of indirection” (ie host-meta SHALL specify a ‘describedby’ link, but no ‘openid*’ links; whereas an OpenID identifier’s XRD SHALL NOT include a ‘describedby’ link).<o:p></o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><span style="font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(31, 73, 125); "><o:p> </o:p></span></div><div style="margin-top: 0cm; margin-right: 0cm; margin-bottom: 0.0001pt; margin-left: 0cm; font-size: 12pt; font-family: 'Times New Roman', serif; "><b><span lang="FR" style="font-family: Arial, sans-serif; color: rgb(31, 73, 125); ">James Manger</span></b><span style="color: rgb(31, 73, 125); "><span class="Apple-converted-space"> </span><br><a href="mailto:James.H.Manger@team.telstra.com" style="color: blue; text-decoration: underline; "><span lang="FR" style="font-size: 10pt; font-family: Arial, sans-serif; ">James.H.Manger@team.telstra.com</span></a><span class="Apple-converted-space"> </span><br></span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(31, 73, 125); ">Identity and security team</span><span style="color: rgb(31, 73, 125); "><span class="Apple-converted-space"> </span></span><span style="font-size: 10pt; font-family: Tahoma, sans-serif; color: rgb(31, 73, 125); ">—</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(31, 73, 125); "><span class="Apple-converted-space"> </span>Chief Technology Office</span><span style="color: rgb(31, 73, 125); "><span class="Apple-converted-space"> </span></span><span style="font-size: 10pt; font-family: Tahoma, sans-serif; color: rgb(31, 73, 125); ">—</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(31, 73, 125); "><span class="Apple-converted-space"> </span>Telstra<o:p></o:p></span></div></div>_______________________________________________<br>general mailing list<br><a href="mailto:general@lists.openid.net" style="color: blue; text-decoration: underline; ">general@lists.openid.net</a><br><a href="http://lists.openid.net/mailman/listinfo/openid-general" style="color: blue; text-decoration: underline; ">http://lists.openid.net/mailman/listinfo/openid-general</a><br></div></span></blockquote></div><br></div></body></html>