I said,
> (I will add, however, that that is
the only case where my statement
does not hold.)
Okay, my statement does not hold for the
general case of merging children under the same authority node.
~ Steve
From: Steven Churchill
[mailto:steven.churchill@xdi.org]
Sent: Monday, June 04, 2007 5:50
PM
To: 'Chasen, Les';
Subject: RE: [xri] CanonicalID verification
text for section 11.
Les,
You got me on this one!
Your example illustrates the sole case
(merging a child of the root with another child of the same root) where the old
and new canonical identifier paths are indeed
proper synonym paths.
My statement does not hold under that one
case:
> Under a merge, the “old”
and the “new” Canonical IDs could not both be canonical identifier
paths,
> because canonical identifier paths
MUST be proper synonym paths.
This is explained in section
> 11.2.7.3.
Sorry for the confusion!
(I will add, however, that that is the only case where my statement does not
hold.)
~ Steve
From: Chasen, Les
[mailto:les.chasen@neustar.biz]
Sent: Monday, June 04, 2007 5:27
PM
To: Steven Churchill; Gabe Wachob;
xri@lists.oasis-open.org
Subject: RE: [xri] CanonicalID
verification text for section 11.
So this is the scenario that I saw laid
out in this thread …. Say I have these two authorities
And the a2 authority merges into the a1
authority. My question is what happens to the children. I have
always thought that this is what we end up with.
### Certainly the auth-res-service of the
merged authority could be set up to return XRDs for =a2*c1 and =a2*c2. However
the CIDs =!2!a and =!2!b would NOT be verifiable under the current proposal. I
would suggest that we would not want a model containing the complexity required
to make that so!
The parent nodes merged so I have one
authority with synonyms =a1, =a2, =!1 and =!2. Let’s assume that
=!1 has a higher priority. Does that mean that the children from the =a2
name space fail to pass CID validation?
### yes (as stated above.) The children of
=a2 would need to return highest priority CIDs that are parented
Do they have to have a migration happen
such that a synonym is added for =!1!a so that CID validation passes? Of
course that is not possible because =!1!a already exists and I don’t
intend the children to be merged. So I guess I will need to add a synonym
that is =!1!c.
From: Steven Churchill
[mailto:steven.churchill@xdi.org]
Sent: Monday, June 04, 2007 7:57
PM
To: Chasen, Les;
Subject: RE: [xri] CanonicalID
verification text for section 11.
Les,
In order to make progress, I suggest we
make use of the concepts and terminology in section 11.2.
> Aren’t we talking about one
authority in this scenario?
Let’s assume that, yes.
> It just happens to have two
CIDs.
The Canonical Identity Verification Graph
model distinguishes between “canonical identifier paths”
(represented by the set of highest priority xrd:CanonicalIDs) and the
lower-priority xrd:CanonicalIDs that are (most likely) the result of a merge.
Please refer to Figure 11-2. CanonicalID verification
does this: If a I resolve @example*jane with cid=”true” and I get
back and XRD containing a canonical identifier path (a highest priority
CanonicalID) that is =!1, then Canonical ID verification is a guarantee that the XRD was
indeed produced by “=”. (That stops someone from presenting, for
example, a spoofed authentication service endpoint in the XRD.)
The above statement is the absolute key
point of Canonical ID verification.
Once you “tick off” that key point,
then it is easy to see why that if the XRD contains more than one canonical
identifier path, then all these paths would need to be proper synonym paths. It’s because
synonym paths go through precisely the same nodes in the same order. Thus the
nodes at the end of these paths have only a single parent chain all the way to
the root. Thus for any canonical identifier path (such as =!1) it can be guaranteed
that each node was “produced” by its parent all the way to the
root. No spoofing.
> That authority is a valid parent no
matter which CID the child used as a root … or atleast I think it
is.
> If this is not true a merge of
authorities with children are a bit more complicated. To do a merge,
> all the children would have to go
through some sort of migration so as to pass CID validation.
Les, I’m not following this. Please
re-state if there is still confusion.
~ Steve
From: Chasen, Les
[mailto:
Sent: Monday, June 04, 2007 4:21
PM
To: Steven Churchill; Gabe Wachob;
xri@lists.oasis-open.org
Subject: RE: [xri] CanonicalID
verification text for section 11.
Aren’t we talking about one
authority in this scenario? It just happens to have two
CIDs. That authority is a valid parent no matter which CID the
child used as a root … or atleast I think it is. If
this is not true a merge of authorities with children are a bit more
complicated. To do a merge, all the children would have to go through
some sort of migration so as to pass CID validation.
From: Steven Churchill
[mailto:steven.churchill@xdi.org]
Sent: Monday, June 04, 2007 7:05 PM
To:
Subject: RE: [xri] CanonicalID
verification text for section 11.
Gabe,
I’m guilty of given the
“what” but not the “why”.
---
The following is
what is meant by canonicalID verification:
If I resolve an authority XRI for an XRD with cid=“true”,
and a [highest-priority] canonicalID is returned in
XRD, then that XRD is guaranteed to be produced by the parent of the
canonicalID.
---
The above is from page 5 of my article at:
http://www.oasis-open.org/committees/download.php/22395/xri-polyarchy-article.pdf.
An XRD cannot be “produced” by
two authorities. For example, an XRD cannot be produced by both the parent of
the old authority and the parent of the new authority. Thus the
highest-priority Canonical IDs must be proper synonym paths.
~ Steve
From: Steven Churchill
[mailto:steven.churchill@xdi.org]
Sent: Monday, June 04, 2007 3:53
PM
To:
Subject: RE: [xri] CanonicalID
verification text for section 11.
Gabe,
Canonical ID verification only takes place
for canonical identifier paths.
These are represented in the XRD as the set of highest priority CanonicalIDs.
Under a merge, the “old” and
the “new” Canonical IDs could not both be canonical identifier
paths, because canonical identifier paths MUST be proper synonym paths. This is explained in section 11.2.7.3.
In English: the old canonical identifier path cannot
represent an absolute identity for the merged authority.
Therefore the old canonical identifier
path must be relegated to a lower-priority Canonical ID post merge. It is not a
canonical identifier path for the new authority, and it is not verified under
CanonicalID verification.
Bet its all clear now. J
~ Steve
From: Gabe Wachob
[mailto:gabe.wachob@amsoft.net]
Sent: Monday, June 04, 2007 2:59
PM
To: 'Steven Churchill';
xri@lists.oasis-open.org
Subject: RE: [xri] CanonicalID
verification text for section 11.
But in the case of authority merge, you
would say, the canonical id’s from the two authorities should be of the
same priority then?
-Gabe
From: Steven Churchill
[mailto:steven.churchill@xdi.org]
Sent: Monday, June 04, 2007 2:32
PM
To:
Subject: RE: [xri] CanonicalID
verification text for section 11.
Gabe,
The text intends to say this: only the
highest priority CanonicalIDs are validated under Canonical ID verification.
(Note that there may be more than one with the same highest priority, and if
so, they are all validated.)
There may be other lower-priority
Canonical IDs as well, but these are not validated under Canonical ID
verification. These would be present, for example, in the case of an authority
merge.
~ Steve
From: Gabe Wachob
[mailto:gabe.wachob@amsoft.net]
Sent: Monday, June 04, 2007 12:53
PM
To: 'Steven Churchill';
xri@lists.oasis-open.org
Subject: RE: [xri] CanonicalID verification
text for section 11.
Question:
1) In reading the first page, it looks like there is only one
canonical ID ever legally allowed in an XRD (the one with the highest priority)
– I thought the point was that canonical ID verification would result in
a legal CanonicalID and depending on how you got to the XRD, a specific
CanonicalID would be “verified” or not, depending on the resolution
path to get to the XRD. This is unrelated to “priority” attribute.
Are you saying this is NOT the case?
From: Steven Churchill
[mailto:steven.churchill@xdi.org]
Sent: Saturday, June 02, 2007 1:59
PM
To: xri@lists.oasis-open.org
Subject: [xri] CanonicalID
verification text for section 11.
Drummond,
Attached are my changes for section 11.
I still owe the changes for Appendix E. (These are small.)
~ Steve