OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xri] xml dsig profile

I'm fine with this approach. It doesn't preclude Peter's use case, but 
does introduce an additional fetch to determine if the referenced 
service matches what the third party app requires.

Thanks,
George

Brian Eaton wrote:
> On Wed, Mar 4, 2009 at 6:54 AM, George Fletcher
> <george.fletcher@corp.aol.com> wrote:
>   
>> But the need to expose these different endpoints is already a use case. I
>> want my PoCo and ActivityStream endpoints listed in my XRD. How do they get
>> there? Do I (the user) have to add them myself? Does the service that
>> generates the XRD have to provide UI to the user and present them all the
>> choices for what to add? That won't scale.
>>     
>
> That challenge needs to be addressed independent of any questions
> about XML DSIG vs Simple Sign vs Magic Security Dust.
>
> Once we figure out the flows involved in managing XRDs, I think we'll
> end up at a point where each XRD for each user has either no signature
> (for use cases where security is not critical) or one signature.
>
> The single signature case would work as follows:
>
> Actors: user, XRD host, third party
>
> 1) Third party gets permission to modify the XRD for the user.  That
> could be via an OAuth approval, or something out of band.
>
> 2) Third party sends a message to XRD host asking to add a service entry.
>
> 3) XRD host adds the entry, resigns the XRD for the user.
>
> One key is all that's necessary, because the XRD for the user is *only
> making statements about the user*.  If you want authoritative data
> about the service, you need to go ask the service for that.
>
> So, yes, I see a need for service discovery and publication, no, I
> don't see a need for a single XRD to have multiple entries signed by
> different entities.
>   

-- 
Chief Architect                   AIM:  gffletch
Identity Services                 Work: george.fletcher@corp.aol.com
AOL LLC                           Home: gffletch@aol.com
Mobile: +1-703-462-3494           
Office: +1-703-265-2544           Blog: http://practicalid.blogspot.com

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]