I maintain that if I'm doing discovery against, e.g., gmail.com for
b...@gmail.com, the discovery document served from
https://gmail.com/.well-known/host-meta is authentic as long as the
HTTPS session is verified.
I rather we leave trust/security aside for now. Let's focus on the actual value and once we have it locked down, figure out what we want to sign, etc.
The XRI TC decided to let protocols define their trust profiles and needs, only defining a framework for signing XRD documents. I think we should use what the Google team has been developing for OpenID.
EHL
> The XRI TC decided to let protocols define their trust profiles and
> needs, only defining a framework for signing XRD documents. I think
> we should use what the Google team has been developing for OpenID.
>
> EHL
I really don't want to get into a heavy discussion about trust
profiles, but I'm not sure what you mean by "use what the Google team
has been developing for OpenID". If you're referring to the use of a
detached signature carried in the HTTP header, you can't. That
specifically violates XRD, as it is written today. If you're
referring to the Subject matching stuff, then that absolutely makes
sense.
Again, I don't want to dive too deeply into this topic, only to make
sure folks don't go too far down a path that leads to nowhere. In any
event, there is plenty of work that can be done without having to
worry too much about the specifics of the document signing.
-will
>
>
> On Aug 14, 2009, at 3:07 PM, Eran Hammer-Lahav wrote:
>
>> The XRI TC decided to let protocols define their trust profiles and
>> needs, only defining a framework for signing XRD documents. I think
>> we should use what the Google team has been developing for OpenID.
>>
>> EHL
>
> I really don't want to get into a heavy discussion about trust
> profiles, but I'm not sure what you mean by "use what the Google team
> has been developing for OpenID". If you're referring to the use of a
> detached signature carried in the HTTP header, you can't. That
> specifically violates XRD, as it is written today. If you're
> referring to the Subject matching stuff, then that absolutely makes
> sense.
not just the subject matching, but also the stuff the Google team is
proposing around NextAuthority (represented by a Link/KeyInfo element
in XRD). That is very useful stuff when talking about trust profiles.
-will