Re: [xri] xml dsig profile

[Peter Davis <peter.davis@neustar.biz>]

On Mar 4, 2009, at 12:44 PM, Brian Eaton wrote:

> On Wed, Mar 4, 2009 at 6:54 AM, George Fletcher
> <george.fletcher@corp.aol.com> wrote:
>> But the need to expose these different endpoints is already a use  
>> case. I
>> want my PoCo and ActivityStream endpoints listed in my XRD. How do  
>> they get
>> there? Do I (the user) have to add them myself? Does the service that
>> generates the XRD have to provide UI to the user and present them  
>> all the
>> choices for what to add? That won't scale.
>
> That challenge needs to be addressed independent of any questions
> about XML DSIG vs Simple Sign vs Magic Security Dust.

Well, sort of.  It will be a challenge, i think to concoct a non- 
XMLDsig mode of signing document portions (rather than the entire XML  
stream).  But I am not wed to signatures forms, as much as I am the  
use case i described.

> Once we figure out the flows involved in managing XRDs, I think we'll
> end up at a point where each XRD for each user has either no signature
> (for use cases where security is not critical) or one signature.

Perhaps.  I have a few projects afoot which would benefit greatly from  
service-level signing by different parties.  FWIW, any use case that  
could be applied to a regulated space (eg: any US Corporation, Gov't  
agency, etc...) will likely require some form of service  
authentication (but perhaps not always at service discovery time)

>
>
> The single signature case would work as follows:
>
> Actors: user, XRD host, third party
>
> 1) Third party gets permission to modify the XRD for the user.  That
> could be via an OAuth approval, or something out of band.
>
> 2) Third party sends a message to XRD host asking to add a service  
> entry.
>
> 3) XRD host adds the entry, resigns the XRD for the user.

Right, this will work for many cases, but not for mine :-(

> One key is all that's necessary, because the XRD for the user is *only
> making statements about the user*.  If you want authoritative data
> about the service, you need to go ask the service for that.
>
> So, yes, I see a need for service discovery and publication, no, I
> don't see a need for a single XRD to have multiple entries signed by
> different entities.

Peter Davis: NeuStar, Inc.
Director & Distinguished Member of the Technical Staff
45980 Center Oak Plaza Sterling, VA 20166
[T] +1 571 434 5516 [E] peter.davis@neustar.biz [W] http://www.neustar.biz/ 
  [X] xri://@neustar*pdavis [X] xri://=peterd
The information contained in this e-mail message is intended only for  
the use of the recipient(s) named above and may contain confidential  
and/or privileged information. If you are not the intended recipient  
you have received this e-mail message in error and any review,  
dissemination, distribution, or copying of this message is strictly  
prohibited. If you have received this communication in error, please  
notify us immediately and delete the original message.