Hi guys,
Google would like to launch a feature in which we're allowing our Google
Apps hosted domains to become OpenID providers. The authentication part of
it is pretty simple - Google is already logging in users to their apps, so
we can also host an OP endpoint for those domains and send assertions back
to Relying Parties. What is more difficult is the discovery part. We have
been working with the XRI TC to define a XRD-based discovery protocol that
would allow this kind of hosting of discovery documents on behalf of our
customers.

We believe that providing proof-of-concept implementations drives
standardization processes forward, so in this spirit we want to launch this
feature in the near future, using a discovery protocol that as far as we can
tell meets all the requirements of what the XRI TC is currently converging
on, but which has not been vetted as an official standard (it's a chicken
and egg thing - without PoC no standards, without standards by definition no
standards-compliant implementations).

While we were tossing around ideas
<http://markmail.org/message/ixc5led2lobdwij2>in
the standardization committees we just used random identifiers for new XML
namespaces, etc. that we would need for this discovery protocol. Now that
we're about to launch we need to decide what to call these things. We would
like to use a namespace in http://specs.openid.net/... because we want this
kind of discovery protocol to be part of OpenID, but we can't really use
them because we don't have a next-generation discovery protocol yet.

So what should we use? How about http://experimental.openid.net/... ? That
way, Relying Parties know that what we're trying to do is be a part of the
OpenID community and bring the protocol forward. On the other hand, this
would also be a signal to the RP that they're using a feature that has not
been vetted as a standard yet.

For example, a discovery document for a domain balfanz.net at Google might
look like this (notice the "experimental" namespace and the XML elements
using it):

<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
  <ds:SignedInfo>
  <ds:CanonicalizationMethod Algorithm="
http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets"; />
  <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1
" />
  </ds:SignedInfo>
  <ds:KeyInfo>
  <ds:X509Data>
  <ds:X509Certificate>
  MIICgjCCA...
  </ds:X509Certificate>
  <ds:X509Certificate>
  MIICsDCCAhmgAwIB...
  </ds:X509Certificate>
  </ds:X509Data>
  </ds:KeyInfo>
  </ds:Signature>
  <XRD>
  <CanonicalID>balfanz.net</CanonicalID>
  <Service priority="0">
  <Type>http://specs.openid.net/auth/2.0/server</Type>
  <Type>http://openid.net/srv/ax/1.0</Type>
  <Type>http://specs.openid.net/extensions/pape/1.0</Type>
  <URI>https://www.google.com/a/balfanz.net/o8/ud?be=o8</URI>
  </Service>
  <Service priority="0" xmlns:experimental="
http://experimental.openid.net/google/2009/07/xmlns/";>
  <Type>http://www.iana.org/assignments/relation/describedby</Type>
  <MediaType>application/xrds+xml</MediaType>
  <experimental:URITemplate>
https://www.google.com/accounts/o8/user-xrds?uri={%uri}
</experimental:URITemplate>
  <experimental:NextAuthority>hosted-id.google.com
</experimental:NextAuthority>
  </Service>
  </XRD>
</xrds:XRDS>

What do you guys think?

Dirk.
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to