[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xri] Quick overview of descriptor discovery flow
Comments inline. > -----Original Message----- > From: Nat Sakimura [mailto:n-sakimura@nri.co.jp] > Sent: Wednesday, December 17, 2008 4:15 AM > > A /site-meta file can contain such a link: > > > > Link: <http://example.com/policy/privacy>; rel="privacy"; > > type="application/p3p+xml" > > Link: <http://example.com/site/descriptor>; rel="describedby"; > > type="application/xrd+xml" > > Link-Template: <http://example.com?meta={+uri} > > <http://example.com?meta=%7B+uri%7D>>; rel="describedby"; > > type="application/xrd+xml" > > Link: <http://example.com/signature>; rel="signature"; > > type="application/signature+xml" > > > > And an XRD can contain such a link: > > > > <XRD> > > <CanonicalID>http://example.com/resource/1</ > > <http://example.com/resource/1%3C/>CanonicalID> > > <URI>http://example.com/api/v1/resources?id=1</URI> > > <http://example.com/api/v1/resources?id=1%3C/URI%3E> > > <Type>http://example.com/some_type_of_resource</Type> > > <http://example.com/some_type_of_resource%3C/Type%3E> > > <Link> > > <Rel>http://example.com/rel/my_calendar</Rel> > > <URI>http://example.com/calendar/1</URI> > > <http://example.com/calendar/1%3C/URI%3E> > > </Link> > > <Link> > > <Rel>signature</Rel> > > <MediaType>application/signature+xml</MediaType> > > <URI>http://example.com/signature</URI> > > <http://example.com/signature%3C/URI%3E> > > </Link> > > <XRD> > > > > What each of these documents is pointing to is a document looking > > something like this: > > > > <Signature method="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> > > <ds:KeyInfo> > > <ds:X509Data> > > <ds:X509Certificate /> > > <ds:X509Certificate /> > > </ds:X509Data> > > </ds:KeyInfo> > > > <Value>kjfsdlkfj943j4309jfl;kj;934jf;iwjf;934jf;oijdflkjsda==</Value> > > <Signature> > Just to be clear: The http://example.com/signature in /site-meta > example and XRD example has different content, right? Yes. The example should have used different signature file URIs. > > > > And to verify it, the entire document linking to the signature (i.e. > > The HTTP body used to retrieve it) is used with the listed > > certificates to verify the signature. The authority of the > > certificates is verified using something like the <CanonicalID> of > the > > XRD and the domain name of the /site-meta. > I was wondering if we should stick to XML DSig sintax for describing > X509 certs data etc. Since it is not XML DSig anymore, I was wondering > if using ds:... could be a bit confusing. I think the value of reusing a namespace is only there if existing software can do something smart with it. If not, we should define a new ns. > Also, when we take into the XRI resolution <XRDS> use case, the file > signing alone would not solve the issue. Brian, John and I have been > discussing about it for a week or so now. Can you explain?
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]