OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xri] About XRI resolution open issue #37



I think that Wil's proposal would work fine. 

But it would require some changes to the SAML trusted resolution section of
the spec. The problem with the spec currently is that it talks about trusted
"resolution" (conceivably this is trusted "XRI resolution") and thus it
deals exclusively with an Auth Res Service in section 6.2, etc.

Section 6 would need to be modified to deal with "trusted XRD proxy
dereferencing" and specify what Wil has proposed below.

~ Steve


-----Original Message-----
From: Tan, William [mailto:William.Tan@neustar.biz] 
Sent: Tuesday, January 16, 2007 5:20 AM
To: Steven Churchill
Cc: 'Drummond Reed'; xri@lists.oasis-open.org
Subject: Re: [xri] About XRI resolution open issue #37

It took me a while to wrap my head around this after ignoring the 
trusted resolution sections of the draft for so long.
Let me try correcting the following XRDS in Steve's example.

Steven Churchill wrote:
>
> Let's look at the degenerate case first: just resolving a single child 
> in the root.
>
> Say we want to resolve =steven.churchill for its OpenID service - and 
> that I set the highest priority URI for my OpenID service with a 
> xrdProxy="true".
>
> <XRDS ref="=steven.churchill">
>
> <XRD>
>
> <Query>*steven.churchill</Query>
>
> .
>
> <ProviderID>xri://=</ProviderID>
>
>
<saml:Assertion>contains-hash-signed-by-equals-private-key</saml:Assertion>
>
> <Service>
>
> <Type select="true">http://openid.net/signon/1.0</Type>
>
Insert here: <ProviderID>steve's i-number or some other persistent 
URI</ProviderID>
Insert here: <KeyInfo>public-key-of-the-above-ProviderID</KeyInfo>
>
> <URI xrdProxy="true">https://stevenchurchill.com/XRD/OpenID</URI>
>
> </Service>
>
> </XRD>
>
> <XRD proxy="true" (or perhaps this attribute is not needed if indeed 
> this is signed) >
>
> <Query>*steven.churchill</Query>
>
> .
>
> <ProviderID>what-goes-here?</ProviderID>
>
Replace above with: <ProviderID>steve's i-number or some other 
persistent URI</ProviderID>

> <saml:Assertion>contains-hash-signed-by-whom?</saml:Assertion>
>
Replace above with 
<saml:Assertion>signed-by-ProviderID-verifiable-using-KeyInfo-of-previous-Se
rvice/KeyInfo</saml:Assertion>
>
> <Service>
>
> <Type select="true">http://openid.net/signon/1.0</Type>
>
> <URI append="qxri" priority="1">https://2idi.com/openid/</URI>
>
> <URI append="qxri" priority="2">http://2idi.com/openid/</URI>
>
> </Service>
>
> </XRD>
>
> <XRDS>
>
> Drummond, is the hash in the second XRD signed by my own private key? 
> If so, do I need to add a $res*auth service to my *steven.churchill 
> XRD just to provide the <KeyInfo> (even though I really don't want 
> *steven.churchill to be a namespace)?
>
So, the URI that serves your "proxied" XRD has to be assigned a 
ProviderID. Its identifier and public key should be published by the 
Service element that led the resolver to fetch this URI, using the 
Service/ProviderID and Service/ds:KeyInfo elements respectively.


=wil


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]