[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xri] About XRI resolution open issue #37
I think that Wil's proposal would work fine. But it would require some changes to the SAML trusted resolution section of the spec. The problem with the spec currently is that it talks about trusted "resolution" (conceivably this is trusted "XRI resolution") and thus it deals exclusively with an Auth Res Service in section 6.2, etc. Section 6 would need to be modified to deal with "trusted XRD proxy dereferencing" and specify what Wil has proposed below. ~ Steve -----Original Message----- From: Tan, William [mailto:William.Tan@neustar.biz] Sent: Tuesday, January 16, 2007 5:20 AM To: Steven Churchill Cc: 'Drummond Reed'; xri@lists.oasis-open.org Subject: Re: [xri] About XRI resolution open issue #37 It took me a while to wrap my head around this after ignoring the trusted resolution sections of the draft for so long. Let me try correcting the following XRDS in Steve's example. Steven Churchill wrote: > > Let's look at the degenerate case first: just resolving a single child > in the root. > > Say we want to resolve =steven.churchill for its OpenID service - and > that I set the highest priority URI for my OpenID service with a > xrdProxy="true". > > <XRDS ref="=steven.churchill"> > > <XRD> > > <Query>*steven.churchill</Query> > > . > > <ProviderID>xri://=</ProviderID> > > <saml:Assertion>contains-hash-signed-by-equals-private-key</saml:Assertion> > > <Service> > > <Type select="true">http://openid.net/signon/1.0</Type> > Insert here: <ProviderID>steve's i-number or some other persistent URI</ProviderID> Insert here: <KeyInfo>public-key-of-the-above-ProviderID</KeyInfo> > > <URI xrdProxy="true">https://stevenchurchill.com/XRD/OpenID</URI> > > </Service> > > </XRD> > > <XRD proxy="true" (or perhaps this attribute is not needed if indeed > this is signed) > > > <Query>*steven.churchill</Query> > > . > > <ProviderID>what-goes-here?</ProviderID> > Replace above with: <ProviderID>steve's i-number or some other persistent URI</ProviderID> > <saml:Assertion>contains-hash-signed-by-whom?</saml:Assertion> > Replace above with <saml:Assertion>signed-by-ProviderID-verifiable-using-KeyInfo-of-previous-Se rvice/KeyInfo</saml:Assertion> > > <Service> > > <Type select="true">http://openid.net/signon/1.0</Type> > > <URI append="qxri" priority="1">https://2idi.com/openid/</URI> > > <URI append="qxri" priority="2">http://2idi.com/openid/</URI> > > </Service> > > </XRD> > > <XRDS> > > Drummond, is the hash in the second XRD signed by my own private key? > If so, do I need to add a $res*auth service to my *steven.churchill > XRD just to provide the <KeyInfo> (even though I really don't want > *steven.churchill to be a namespace)? > So, the URI that serves your "proxied" XRD has to be assigned a ProviderID. Its identifier and public key should be published by the Service element that led the resolver to fetch this URI, using the Service/ProviderID and Service/ds:KeyInfo elements respectively. =wil
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]