>> Johnny Bufu wrote: >> >> We did look at this (with Drummond) in December. The bottom line is >> that it can't be done easily - a mechanism similar to XRI's canonical >> ID verification would have to be employed, to confirm that the i- >> number actually 'belongs' to the URL on which discovery was >> initiated. (Otherwise anyone could put any i-number in their URL- >> based XRDS files.) >> >Martin Atkins wrote: > >Indeed, CanonicalID verification would be necessary, but it's already >necessary if you want to accept XRI-based logins anyway. > >Last time we were talking about this CanonicalID verification for XRI >was not yet specified. Is it now specified somewhere?
Martin, it's been specified in draft form since last October on the XRI TC wiki at: http://wiki.oasis-open.org/xri/XriCd02/CanonicalIdVerification The content there was moved week before last into the first editor's draft of XRI Resolution 2.0 Working Draft 11 at: http://www.oasis-open.org/committees/download.php/24096/xri-resolution-v2.0- wd-11-ed-01.doc The new Canonical ID Verification section is #11. Note that the verification rules currently only cover if the XRDS is discovered from an XRI. In the second editor's draft, due this Wednesday, we will add rules for verification if the XRDS is discovered from a URL. =Drummond _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs