[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xri] CanonicalID verification text for section 11.
Les, In order to make progress, I suggest we
make use of the concepts and terminology in section 11.2. > Aren’t we talking about one
authority in this scenario? Let’s assume that, yes. > It just happens to have two
CIDs. The Canonical Identity Verification Graph
model distinguishes between “canonical identifier paths”
(represented by the set of highest priority xrd:CanonicalIDs) and the
lower-priority xrd:CanonicalIDs that are (most likely) the result of a merge. Please refer to Figure 11-2. CanonicalID
verification does this: If a I resolve @example*jane with cid=”true”
and I get back and XRD containing a canonical identifier path (a highest
priority CanonicalID) that is =!1, then Canonical ID
verification is a guarantee that the XRD was indeed produced by “=”.
(That stops someone from presenting, for example, a spoofed authentication
service endpoint in the XRD.) The above statement is the absolute key
point of Canonical ID verification. Once you “tick off” that key
point, then it is easy to see why that if the XRD contains more than one
canonical identifier path, then all these paths would need to be proper synonym paths. It’s because
synonym paths go through precisely the same nodes in the same order. Thus the
nodes at the end of these paths have only a single parent chain all the way to
the root. Thus for any canonical identifier path (such as =!1) it can be guaranteed that
each node was “produced” by its parent all the way to the root. No
spoofing. > That authority is a valid parent no
matter which CID the child used as a root … or atleast I think it
is. > If this is not true a merge of authorities
with children are a bit more complicated. To do a merge, > all the children would have to go
through some sort of migration so as to pass CID validation. Les, I’m not following this. Please
re-state if there is still confusion. ~ Steve From: Chasen, Les
[mailto:les.chasen@neustar.biz] Aren’t we talking about one
authority in this scenario? It just happens to have two
CIDs. That authority is a valid parent no matter which CID the
child used as a root … or atleast I think it is. If this
is not true a merge of authorities with children are a bit more
complicated. To do a merge, all the children would have to go through
some sort of migration so as to pass CID validation. From: Steven Churchill
[mailto:steven.churchill@xdi.org] Gabe, I’m guilty of given the
“what” but not the “why”.
The following is what
is meant by canonicalID verification: If I resolve an authority XRI for an XRD with cid=“true”,
and a [highest-priority] canonicalID is returned in XRD, then that XRD is guaranteed to be produced by the parent of the
canonicalID. --- The above is from page 5 of my article at:
http://www.oasis-open.org/committees/download.php/22395/xri-polyarchy-article.pdf. An XRD cannot be “produced” by
two authorities. For example, an XRD cannot be produced by both the parent of
the old authority and the parent of the new authority. Thus the
highest-priority Canonical IDs must be proper synonym paths. ~ Steve From: Steven Churchill
[mailto:steven.churchill@xdi.org] Gabe, Canonical ID verification only takes place
for canonical identifier paths. These
are represented in the XRD as the set of highest priority CanonicalIDs. Under a merge, the “old” and
the “new” Canonical IDs could not both be canonical identifier
paths, because canonical identifier paths MUST be proper synonym paths. This is explained in section 11.2.7.3.
In English: the old canonical identifier path cannot
represent an absolute identity for the merged authority. Therefore the old canonical identifier
path must be relegated to a lower-priority Canonical ID post merge. It is not a
canonical identifier path for the new authority, and it is not verified under
CanonicalID verification. Bet its all clear now. J ~ Steve From: Gabe Wachob
[mailto:gabe.wachob@amsoft.net] But in the case of authority merge, you
would say, the canonical id’s from the two authorities should be of the
same priority then?
-Gabe From: Steven Churchill
[mailto:steven.churchill@xdi.org] Gabe, The text intends to say this: only the
highest priority CanonicalIDs are validated under Canonical ID verification.
(Note that there may be more than one with the same highest priority, and if
so, they are all validated.) There may be other lower-priority
Canonical IDs as well, but these are not validated under Canonical ID
verification. These would be present, for example, in the case of an authority
merge. ~ Steve From: Gabe Wachob
[mailto:gabe.wachob@amsoft.net] Question: 1) In reading the first page, it looks like there is only one
canonical ID ever legally allowed in an XRD (the one with the highest priority)
– I thought the point was that canonical ID verification would result in
a legal CanonicalID and depending on how you got to the XRD, a specific
CanonicalID would be “verified” or not, depending on the resolution
path to get to the XRD. This is unrelated to “priority” attribute.
Are you saying this is NOT the case? From: Steven Churchill
[mailto:steven.churchill@xdi.org] Drummond, Attached are my changes for section 11. I still owe the changes for Appendix E. (These are small.) ~ Steve |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]