Re: [xri] xml dsig profile

[Brian Eaton <beaton@google.com>]

On Wed, Mar 4, 2009 at 6:54 AM, George Fletcher
<george.fletcher@corp.aol.com> wrote:
> But the need to expose these different endpoints is already a use case. I
> want my PoCo and ActivityStream endpoints listed in my XRD. How do they get
> there? Do I (the user) have to add them myself? Does the service that
> generates the XRD have to provide UI to the user and present them all the
> choices for what to add? That won't scale.

That challenge needs to be addressed independent of any questions
about XML DSIG vs Simple Sign vs Magic Security Dust.

Once we figure out the flows involved in managing XRDs, I think we'll
end up at a point where each XRD for each user has either no signature
(for use cases where security is not critical) or one signature.

The single signature case would work as follows:

Actors: user, XRD host, third party

1) Third party gets permission to modify the XRD for the user.  That
could be via an OAuth approval, or something out of band.

2) Third party sends a message to XRD host asking to add a service entry.

3) XRD host adds the entry, resigns the XRD for the user.

One key is all that's necessary, because the XRD for the user is *only
making statements about the user*.  If you want authoritative data
about the service, you need to go ask the service for that.

So, yes, I see a need for service discovery and publication, no, I
don't see a need for a single XRD to have multiple entries signed by
different entities.