Re: [xri] XRD trusted discovery workflow

[John Bradley <jbradley@mac.com>]

On 10-Dec-08, at 2:09 PM, Breno de Medeiros wrote:

On Tue, Dec 9, 2008 at 8:35 PM, Dirk Balfanz <balfanz@google.com> wrote:

Thanks for putting that up, here are a few comments/questions:

- Both in the PKI and in the out-of-band versions the basic verification

step seems to go like this: you already have a canonical_id, and you do the

following: (1) check that the canonical_id in the XRD document is the same

as the canonical_id you're already holding, (2) verify the signature on the

document, (3) verify that the key used to sign the document matches the

canonical_id in the document. Why bother with the canonical_id in the

document in the first place? Why not just (1) verify the signature, and (2)

verify that the key used to sign the document matches the canonical_id

you're already holding?

Unless the canonical id is used for delegation, it should be optional.
You could have the case where you arrive at the same document with
several canonical_ids. For instance, when you resolve a claimed_id
through /site-meta.

I think the idea is that an XRD can only have one cannonical_id there may be multiple URI that resolve to the XRD but only one can be cannonical.

I don't know what we are going to do with the EquivID element,  In XRI 2.0 that would be how you would specify non-cannonical synonyms for the XRD.

=jbradley