Should this experimental namespace only apply to work being done by OpenID working groups? I'm very supportive of pushing the standards forward via prototypes, but that should be done as part of the OpenID community instead of by a single company.

I'd be very happy to help get a discovery working group spun up and charter them to modernize OpenID 2.0's discovery process.

--David

On Jul 10, 2009, at 11:58 AM, George Fletcher wrote:

+1 to http://experimental.openid.net

It would be good to add this to the "repository" work Breno and John are doing as having a registry for experimental URIs would be good as well.

Thanks,
George

Dirk Balfanz wrote:
[+gene...@openid.net <mailto:gene...@openid.net> for a broader audience]

On Thu, Jul 9, 2009 at 4:45 PM, Dirk Balfanz <balf...@google.com <mailto:balf...@google.com >> wrote:

   Hi guys,
   Google would like to launch a feature in which we're allowing our
   Google Apps hosted domains to become OpenID providers. The
   authentication part of it is pretty simple - Google is already
   logging in users to their apps, so we can also host an OP endpoint
   for those domains and send assertions back to Relying Parties.
   What is more difficult is the discovery part. We have been working
   with the XRI TC to define a XRD-based discovery protocol that
   would allow this kind of hosting of discovery documents on behalf
   of our customers.
   We believe that providing proof-of-concept implementations drives
   standardization processes forward, so in this spirit we want to
   launch this feature in the near future, using a discovery protocol
   that as far as we can tell meets all the requirements of what the
   XRI TC is currently converging on, but which has not been vetted
   as an official standard (it's a chicken and egg thing - without
   PoC no standards, without standards by definition no
   standards-compliant implementations).

While we were tossing around ideas <http://markmail.org/message/ixc5led2lobdwij2 >in the
   standardization committees we just used random identifiers for new
   XML namespaces, etc. that we would need for this discovery
   protocol. Now that we're about to launch we need to decide what to
   call these things. We would like to use a namespace
   in http://specs.openid.net/... because we want this kind of
   discovery protocol to be part of OpenID, but we can't really use
them because we don't have a next-generation discovery protocol yet.
   So what should we use? How
   about http://experimental.openid.net/... ? That way, Relying
   Parties know that what we're trying to do is be a part of the
   OpenID community and bring the protocol forward. On the other
   hand, this would also be a signal to the RP that they're using a
   feature that has not been vetted as a standard yet.
   For example, a discovery document for a domain balfanz.net
   <http://balfanz.net> at Google might look like this (notice the
   "experimental" namespace and the XML elements using it):

   <?xml version="1.0" encoding="UTF-8"?>
   <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
     <ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://docs.oasis-open.org/xri/xrd/2009/01#canonicalize-raw-octets " /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1 " />
     </ds:SignedInfo>
     <ds:KeyInfo>
     <ds:X509Data>
     <ds:X509Certificate>
     MIICgjCCA...
     </ds:X509Certificate>
     <ds:X509Certificate>
     MIICsDCCAhmgAwIB...
     </ds:X509Certificate>
     </ds:X509Data>
     </ds:KeyInfo>
     </ds:Signature>
     <XRD>
     <CanonicalID>balfanz.net <http://balfanz.net></CanonicalID>
     <Service priority="0">
     <Type>http://specs.openid.net/auth/2.0/server</Type>
     <Type>http://openid.net/srv/ax/1.0</Type>
     <Type>http://specs.openid.net/extensions/pape/1.0</Type>
     <URI>https://www.google.com/a/balfanz.net/o8/ud?be=o8</URI>
     </Service>
<Service priority="0" xmlns:experimental="http://experimental.openid.net/google/2009/07/xmlns/ "> <Type>http://www.iana.org/assignments/relation/describedby</ Type>
     <MediaType>application/xrds+xml</MediaType>
<experimental:URITemplate>https://www.google.com/accounts/o8/user-xrds?uri= {%uri} <https://www.google.com/accounts/o8/user-xrds?uri=%7B%uri%7D></ experimental:URITemplate>
     <experimental:NextAuthority>hosted-id.google.com
   <http://hosted-id.google.com></experimental:NextAuthority>
     </Service>
     </XRD>
   </xrds:XRDS>

   What do you guys think?

   Dirk.


------------------------------------------------------------------------

_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to