[+gene...@openid.net for a broader audience]

On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz <balf...@google.com> wrote:

> Hi guys,
> Google would like to launch a feature in which we're allowing our Google
> Apps hosted domains to become OpenID providers. The authentication part of
> it is pretty simple - Google is already logging in users to their apps, so
> we can also host an OP endpoint for those domains and send assertions back
> to Relying Parties. What is more difficult is the discovery part. We have
> been working with the XRI TC to define a XRD-based discovery protocol that
> would allow this kind of hosting of discovery documents on behalf of our
> customers.
>
> We believe that providing proof-of-concept implementations drives
> standardization processes forward, so in this spirit we want to launch this
> feature in the near future, using a discovery protocol that as far as we can
> tell meets all the requirements of what the XRI TC is currently converging
> on, but which has not been vetted as an official standard (it's a chicken
> and egg thing - without PoC no standards, without standards by definition no
> standards-compliant implementations).
>
> While we were tossing around ideas 
> <http://markmail.org/message/ixc5led2lobdwij2>in
> the standardization committees we just used random identifiers for new XML
> namespaces, etc. that we would need for this discovery protocol. Now that
> we're about to launch we need to decide what to call these things. We would
> like to use a namespace in http://specs.openid.net/... because we want
> this kind of discovery protocol to be part of OpenID, but we can't really
> use them because we don't have a next-generation discovery protocol yet.
>
> So what should we use? How about http://experimental.openid.net/... ? That
> way, Relying Parties know that what we're trying to do is be a part of the
> OpenID community and bring the protocol forward. On the other hand, this
> would also be a signal to the RP that they're using a feature that has not
> been vetted as a standard yet.
>
> For example, a discovery document for a domain balfanz.net at Google might
> look like this (notice the "experimental" namespace and the XML elements
> using it):
>
> <?xml version="1.0" encoding="UTF-8"?>
> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
>   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
>   <ds:SignedInfo>
>   <ds:CanonicalizationMethod Algorithm="
> http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets"; />
>   <ds:SignatureMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
>   </ds:SignedInfo>
>   <ds:KeyInfo>
>   <ds:X509Data>
>   <ds:X509Certificate>
>   MIICgjCCA...
>   </ds:X509Certificate>
>   <ds:X509Certificate>
>   MIICsDCCAhmgAwIB...
>   </ds:X509Certificate>
>   </ds:X509Data>
>   </ds:KeyInfo>
>   </ds:Signature>
>   <XRD>
>   <CanonicalID>balfanz.net</CanonicalID>
>   <Service priority="0">
>   <Type>http://specs.openid.net/auth/2.0/server</Type>
>   <Type>http://openid.net/srv/ax/1.0</Type>
>   <Type>http://specs.openid.net/extensions/pape/1.0</Type>
>   <URI>https://www.google.com/a/balfanz.net/o8/ud?be=o8</URI>
>   </Service>
>   <Service priority="0" xmlns:experimental="
> http://experimental.openid.net/google/2009/07/xmlns/";>
>   <Type>http://www.iana.org/assignments/relation/describedby</Type>
>   <MediaType>application/xrds+xml</MediaType>
>   <experimental:URITemplate>
> https://www.google.com/accounts/o8/user-xrds?uri={%uri}<https://www.google.com/accounts/o8/user-xrds?uri=%7B%uri%7D>
> </experimental:URITemplate>
>   <experimental:NextAuthority>hosted-id.google.com
> </experimental:NextAuthority>
>   </Service>
>   </XRD>
> </xrds:XRDS>
>
> What do you guys think?
>
> Dirk.
>
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to