OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xri message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xri] CanonicalID verification text for section 11.


 

One more thing:


There is a fundamental concept here that I should point out. It is that of absolute identity. Authority nodes in the Canonical Identity Verification Graph have absolute identity that is defined by the node’s canonical identifier path. An authority node within this model cannot have more than one absolute identity. Thus all canonical identifier paths must be proper synonym paths.

 

~ Steve

 

 


From: Steven Churchill [mailto:steven.churchill@xdi.org]
Sent: Monday, June 04, 2007 4:57 PM
To: 'Chasen, Les'; 'Gabe Wachob'; xri@lists.oasis-open.org
Subject: RE: [xri] CanonicalID verification text for section 11.

 

Les,

 

In order to make progress, I suggest we make use of the concepts and terminology in section 11.2.

 

> Aren’t we talking about one authority in this scenario?  

Let’s assume that, yes.

 

> It just happens to have two CIDs.  

The Canonical Identity Verification Graph model distinguishes between “canonical identifier paths” (represented by the set of highest priority xrd:CanonicalIDs) and the lower-priority xrd:CanonicalIDs that are (most likely) the result of a merge.

 

Please refer to Figure 11-2. CanonicalID verification does this: If a I resolve @example*jane with cid=”true” and I get back and XRD containing a canonical identifier path (a highest priority CanonicalID) that is =!1, then Canonical ID verification is a guarantee that the XRD was indeed produced by “=”. (That stops someone from presenting, for example, a spoofed authentication service endpoint in the XRD.)

 

The above statement is the absolute key point of Canonical ID verification.

 

Once you “tick off” that key point, then it is easy to see why that if the XRD contains more than one canonical identifier path, then all these paths would need to be proper synonym paths. It’s because synonym paths go through precisely the same nodes in the same order. Thus the nodes at the end of these paths have only a single parent chain all the way to the root. Thus for any canonical identifier path (such as =!1) it can be guaranteed that each node was “produced” by its parent all the way to the root. No spoofing.

 

> That authority is a valid parent no matter which CID the child used as a root … or atleast I think it is.   

> If this is not true a merge of authorities with children are a bit more complicated.  To do a merge,

> all the children would have to go through some sort of migration so as to pass CID validation.

 

Les, I’m not following this. Please re-state if there is still confusion.

 

~ Steve

 

 

 

 

 

 

 


From: Chasen, Les [mailto:les.chasen@neustar.biz]
Sent: Monday, June 04, 2007 4:21 PM
To: Steven Churchill; Gabe Wachob; xri@lists.oasis-open.org
Subject: RE: [xri] CanonicalID verification text for section 11.

 

Aren’t we talking about one authority in this scenario?   It just happens to have two CIDs.   That authority is a valid parent no matter which CID the child used as a root … or atleast I think it is.    If this is not true a merge of authorities with children are a bit more complicated.  To do a merge, all the children would have to go through some sort of migration so as to pass CID validation.

 

contact: =les

sip: =les/(+phone)

chat: =les/skype/chat

 

 


From: Steven Churchill [mailto:steven.churchill@xdi.org]
Sent: Monday, June 04, 2007 7:05 PM
To: 'Gabe Wachob'; xri@lists.oasis-open.org
Subject: RE: [xri] CanonicalID verification text for section 11.

 

Gabe,

 

I’m guilty of given the “what” but not the “why”.


---

The following is what is meant by canonicalID verification:

 

If I resolve an authority XRI for an XRD with cid=“true”, and a [highest-priority] canonicalID is returned in

XRD, then that XRD is guaranteed to be produced by the parent of the canonicalID.

---

 

The above is from page 5 of my article at: http://www.oasis-open.org/committees/download.php/22395/xri-polyarchy-article.pdf.

 

An XRD cannot be “produced” by two authorities. For example, an XRD cannot be produced by both the parent of the old authority and the parent of the new authority. Thus the highest-priority Canonical IDs must be proper synonym paths.

 

~ Steve

 

 


From: Steven Churchill [mailto:steven.churchill@xdi.org]
Sent: Monday, June 04, 2007 3:53 PM
To: 'Gabe Wachob'; 'xri@lists.oasis-open.org'
Subject: RE: [xri] CanonicalID verification text for section 11.

 

Gabe,

 

Canonical ID verification only takes place for canonical identifier paths. These are represented in the XRD as the set of highest priority CanonicalIDs.

 

Under a merge, the “old” and the “new” Canonical IDs could not both be canonical identifier paths, because canonical identifier paths MUST be proper synonym paths. This is explained in section 11.2.7.3. In English: the old canonical identifier path cannot represent an absolute identity for the merged authority.

 

Therefore the old canonical identifier path must be relegated to a lower-priority Canonical ID post merge. It is not a canonical identifier path for the new authority, and it is not verified under CanonicalID verification.

 

Bet its all clear now. J

 

~ Steve

 

 


From: Gabe Wachob [mailto:gabe.wachob@amsoft.net]
Sent: Monday, June 04, 2007 2:59 PM
To: 'Steven Churchill'; xri@lists.oasis-open.org
Subject: RE: [xri] CanonicalID verification text for section 11.

 

But in the case of authority merge, you would say, the canonical id’s from the two authorities should be of the same priority then?

 

            -Gabe

 


From: Steven Churchill [mailto:steven.churchill@xdi.org]
Sent: Monday, June 04, 2007 2:32 PM
To: 'Gabe Wachob'; xri@lists.oasis-open.org
Subject: RE: [xri] CanonicalID verification text for section 11.

 

Gabe,

 

The text intends to say this: only the highest priority CanonicalIDs are validated under Canonical ID verification. (Note that there may be more than one with the same highest priority, and if so, they are all validated.)

 

There may be other lower-priority Canonical IDs as well, but these are not validated under Canonical ID verification. These would be present, for example, in the case of an authority merge.

 

~ Steve

 

 


From: Gabe Wachob [mailto:gabe.wachob@amsoft.net]
Sent: Monday, June 04, 2007 12:53 PM
To: 'Steven Churchill'; xri@lists.oasis-open.org
Subject: RE: [xri] CanonicalID verification text for section 11.

 

Question:

 

1)       In reading the first page, it looks like there is only one canonical ID ever legally allowed in an XRD (the one with the highest priority) – I thought the point was that canonical ID verification would result in a legal CanonicalID and depending on how you got to the XRD, a specific CanonicalID would be “verified” or not, depending on the resolution path to get to the XRD. This is unrelated to “priority” attribute. Are you saying this is NOT the case?

 

 

 


From: Steven Churchill [mailto:steven.churchill@xdi.org]
Sent: Saturday, June 02, 2007 1:59 PM
To: xri@lists.oasis-open.org
Subject: [xri] CanonicalID verification text for section 11.

 

Drummond,

 

Attached are my changes for section 11.

 

I still owe the changes for Appendix E. (These are small.)

 

~ Steve

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]