Re: [xri] Re: questions about LRDD / OpenID

[Eran Hammer-Lahav <eran@hueniverse.com>]

Title: Re: [xri] Re: questions about LRDD / OpenID

This is getting too deep into OpenID.

I HATE the HTML discovery option and would like to see it go away. It is an interop and security nightmare.

I think OpenID needs to get a coherent story about discovery. Piling up options isn’t a good idea.

EHL


On 3/23/09 11:29 AM, "Will Norris" <will@willnorris.com> wrote:

> hmm, looks like I was a bit off with my answers... sorry about that.
>
>
> On Mar 23, 2009, at 11:09 AM, Eran Hammer-Lahav wrote:
> >
> > On 3/23/09 8:44 AM, "Markus Sabadello" <markus.sabadello@xdi.org> 
> > wrote:
> >
> >> 1. When performing LRDD on Joe's OpenID http://example.com/joe, you 
> >> say that
> >> in step 3 the relying party gets the /host-meta file and looks for 
> >> the
> >> "Link-Pattern" entry. My question is, shouldn't it also look for a 
> >> "Link"
> >> entry?
> >
> > Not when performing LRDD. The /host-meta Link record is currently 
> > specified
> > to apply to all resources under the same authority (wording I plan to
> > change), but such records are not used in LRDD. The short answer is 
> > that
> > there are many other methods we could have included but decided to 
> > limit the
> > list to three specific methods.
> >
> > The long answer is how that it creates a complicated flow where it 
> > is now
> > clear which records to use.
> >
> > OpenID may choose to use /host-meta Link for performing a site-wide
> > discovery that is not for a specific URI. But that is not part of 
> > LRDD.
>
> Given than several large providers are doing OP-driven identifier 
> selection (Yahoo and Google immediately come to mind), are you 
> expecting that this will be a likely possibility?
>
>
> >> 3. It seems that XRD is now very similar to the various Link 
> >> mechanisms. My
> >> question is, in your OpenID example, could the same goals be 
> >> achieved without
> >> using XRD at all? E.g. when performing LRDD on Joe's OpenID
> >> http://example.com/joe, instead of discovering an XRD via 
> >> describedby links,
> >> couldn't you also directly discover the OpenID provider:
> >
> > While they are semantically identical, an application using XRD over 
> > LRDD
> > will only look for application records in the XRD and not in other 
> > links.
> > This is mostly for interoperability which is the main reason for all 
> > this
> > work.
> >
> > Think about it this way, the same way LRDD is making some restrictive
> > choices about which links to use, applications using XRD are 
> > applying the
> > same pattern by limiting where their application-specific meta is 
> > located.
>
> This assumes the application is using XRD+LRDD exclusively.  OpenID is 
> already using its own fall-back mechanism today in additional to Yadis/
> XRDS, in the form of the <link> HTML elements.  I understand it will 
> be up to the OpenID community to define how any new discovery spec 
> works, but what are you expecting?  Do you foresee them keeping the 
> <link> HTML elements?  If so, isn't it likely that we could expect to 
> see use of the Link HTTP header as well?
>
> -will