[+gene...@openid.net for a broader audience] On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz <balf...@google.com> wrote:
> Hi guys, > Google would like to launch a feature in which we're allowing our Google > Apps hosted domains to become OpenID providers. The authentication part of > it is pretty simple - Google is already logging in users to their apps, so > we can also host an OP endpoint for those domains and send assertions back > to Relying Parties. What is more difficult is the discovery part. We have > been working with the XRI TC to define a XRD-based discovery protocol that > would allow this kind of hosting of discovery documents on behalf of our > customers. > > We believe that providing proof-of-concept implementations drives > standardization processes forward, so in this spirit we want to launch this > feature in the near future, using a discovery protocol that as far as we can > tell meets all the requirements of what the XRI TC is currently converging > on, but which has not been vetted as an official standard (it's a chicken > and egg thing - without PoC no standards, without standards by definition no > standards-compliant implementations). > > While we were tossing around ideas > <http://markmail.org/message/ixc5led2lobdwij2>in > the standardization committees we just used random identifiers for new XML > namespaces, etc. that we would need for this discovery protocol. Now that > we're about to launch we need to decide what to call these things. We would > like to use a namespace in http://specs.openid.net/... because we want > this kind of discovery protocol to be part of OpenID, but we can't really > use them because we don't have a next-generation discovery protocol yet. > > So what should we use? How about http://experimental.openid.net/... ? That > way, Relying Parties know that what we're trying to do is be a part of the > OpenID community and bring the protocol forward. On the other hand, this > would also be a signal to the RP that they're using a feature that has not > been vetted as a standard yet. > > For example, a discovery document for a domain balfanz.net at Google might > look like this (notice the "experimental" namespace and the XML elements > using it): > > <?xml version="1.0" encoding="UTF-8"?> > <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> > <ds:SignedInfo> > <ds:CanonicalizationMethod Algorithm=" > http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets" /> > <ds:SignatureMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> > </ds:SignedInfo> > <ds:KeyInfo> > <ds:X509Data> > <ds:X509Certificate> > MIICgjCCA... > </ds:X509Certificate> > <ds:X509Certificate> > MIICsDCCAhmgAwIB... > </ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </ds:Signature> > <XRD> > <CanonicalID>balfanz.net</CanonicalID> > <Service priority="0"> > <Type>http://specs.openid.net/auth/2.0/server</Type> > <Type>http://openid.net/srv/ax/1.0</Type> > <Type>http://specs.openid.net/extensions/pape/1.0</Type> > <URI>https://www.google.com/a/balfanz.net/o8/ud?be=o8</URI> > </Service> > <Service priority="0" xmlns:experimental=" > http://experimental.openid.net/google/2009/07/xmlns/"> > <Type>http://www.iana.org/assignments/relation/describedby</Type> > <MediaType>application/xrds+xml</MediaType> > <experimental:URITemplate> > https://www.google.com/accounts/o8/user-xrds?uri={%uri}<https://www.google.com/accounts/o8/user-xrds?uri=%7B%uri%7D> > </experimental:URITemplate> > <experimental:NextAuthority>hosted-id.google.com > </experimental:NextAuthority> > </Service> > </XRD> > </xrds:XRDS> > > What do you guys think? > > Dirk. >
_______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs