Re: [xri] Thoughts on XRD-to-resource cardinality - John Bradley - org.oasis-open.lists.xri

448 messages in org.oasis-open.lists.xriRe: [xri] Thoughts on XRD-to-resource...

From	Sent On	Attachments
263 earlier messages
Drummond Reed	Dec 3, 2008 4:53 pm
Drummond Reed	Dec 4, 2008 10:42 pm
Drummond Reed	Dec 5, 2008 5:11 pm
Drummond Reed	Dec 5, 2008 6:06 pm
Ben Laurie	Dec 8, 2008 9:06 am
Breno de Medeiros	Dec 8, 2008 9:10 am
John Bradley	Dec 8, 2008 9:11 am
Drummond Reed	Dec 8, 2008 9:55 am
Drummond Reed	Dec 8, 2008 10:00 am
Markus Sabadello	Dec 8, 2008 10:04 am
Drummond Reed	Dec 8, 2008 11:55 pm
Ben Laurie	Dec 9, 2008 5:34 am
Drummond Reed	Dec 9, 2008 11:15 am
Drummond Reed	Dec 9, 2008 11:23 am
Dirk Balfanz	Dec 9, 2008 2:15 pm
Drummond Reed	Dec 9, 2008 3:25 pm
Drummond Reed	Dec 9, 2008 11:37 pm
Peter Davis	Dec 10, 2008 5:48 am
John Bradley	Dec 10, 2008 8:40 am
Drummond Reed	Dec 10, 2008 3:15 pm
Drummond Reed	Dec 11, 2008 4:22 pm
Drummond Reed	Dec 17, 2008 6:12 pm
Eran Hammer-Lahav	Dec 18, 2008 2:02 pm
Drummond Reed	Dec 26, 2008 5:22 pm
Drummond Reed	Jan 5, 2009 6:57 pm
Drummond Reed	Jan 6, 2009 9:12 am
Drummond Reed	Jan 7, 2009 5:46 pm
Xiaodong Lee	Jan 7, 2009 6:00 pm
Drummond Reed	Jan 7, 2009 6:07 pm
Drummond Reed	Jan 9, 2009 12:37 am
Drummond Reed	Jan 11, 2009 7:16 pm
Drummond Reed	Jan 11, 2009 10:34 pm
Drummond Reed	Jan 12, 2009 4:54 pm
Drummond Reed	Jan 12, 2009 9:42 pm
Drummond Reed	Jan 13, 2009 11:18 am
Drummond Reed	Jan 13, 2009 1:37 pm
Drummond Reed	Jan 13, 2009 2:03 pm
Drummond Reed	Jan 13, 2009 5:48 pm
Chasen, Les	Jan 13, 2009 10:46 pm
Drummond Reed	Jan 15, 2009 1:58 am
Drummond Reed	Jan 16, 2009 6:05 pm
Drummond Reed	Jan 19, 2009 11:14 am
Drummond Reed	Jan 21, 2009 11:06 pm
Drummond Reed	Jan 26, 2009 6:33 pm
Drummond Reed	Jan 27, 2009 5:58 pm
Drummond Reed	Jan 27, 2009 9:59 pm
Eran Hammer-Lahav	Jan 27, 2009 10:21 pm
Peter Davis	Jan 28, 2009 5:42 am
George Fletcher	Jan 28, 2009 8:08 am
John Bradley	Jan 28, 2009 8:31 am
George Fletcher	Jan 28, 2009 8:49 am
John Bradley	Jan 28, 2009 9:13 am
Drummond Reed	Jan 28, 2009 10:48 pm
Drummond Reed	Jan 28, 2009 11:14 pm
Nat Sakimura	Jan 29, 2009 12:00 am
Nat Sakimura	Jan 29, 2009 12:12 am
John Bradley	Jan 29, 2009 1:43 pm
Peter Davis	Jan 29, 2009 1:53 pm
Eran Hammer-Lahav	Jan 29, 2009 2:36 pm
Drummond Reed	Feb 2, 2009 9:46 pm
Brian Eaton	Feb 3, 2009 8:07 am
Drummond Reed	Feb 4, 2009 11:42 pm
Drummond Reed	Feb 9, 2009 9:44 pm
Drummond Reed	Feb 9, 2009 10:21 pm
Drummond Reed	Feb 10, 2009 11:37 pm
Drummond Reed	Feb 12, 2009 12:28 am
Drummond Reed	Feb 12, 2009 10:12 pm
Drummond Reed	Feb 17, 2009 12:05 am
Drummond Reed	Feb 17, 2009 11:50 am
Drummond Reed	Feb 18, 2009 9:35 pm
Eran Hammer-Lahav	Feb 18, 2009 9:53 pm
Drummond Reed	Feb 19, 2009 2:01 am
Drummond Reed	Feb 19, 2009 8:48 pm
Drummond Reed	Feb 26, 2009 12:24 am
Drummond Reed	Feb 28, 2009 2:48 pm
Drummond Reed	Mar 5, 2009 1:10 am
Drummond Reed	Mar 11, 2009 5:34 pm
Drummond Reed	Mar 11, 2009 8:25 pm
Drummond Reed	Mar 13, 2009 9:32 pm
Gabe Wachob	Mar 16, 2009 9:34 pm
Drummond Reed	Mar 18, 2009 10:54 pm
Eran Hammer-Lahav	Mar 19, 2009 9:40 am
Drummond Reed	Mar 19, 2009 10:10 pm
Drummond Reed	Mar 26, 2009 12:42 am
John Bradley	Mar 26, 2009 3:26 pm
Drummond Reed	Mar 26, 2009 9:33 pm
Drummond Reed	Mar 26, 2009 9:58 pm
Drummond Reed	Mar 26, 2009 10:11 pm
Drummond Reed	Apr 2, 2009 1:06 am
Markus Sabadello	Apr 2, 2009 10:36 am
Drummond Reed	Apr 2, 2009 1:00 pm
Drummond Reed	Apr 4, 2009 6:01 pm
Drummond Reed	Apr 8, 2009 11:09 pm
Drummond Reed	Apr 9, 2009 9:16 am
Drummond Reed	Apr 15, 2009 3:06 pm
Drummond Reed	Apr 22, 2009 8:33 pm
Sakimura Nat	Apr 22, 2009 11:59 pm
Drummond Reed	Apr 23, 2009 12:20 am
Sakimura Nat	Apr 23, 2009 12:23 am
Will Norris	Apr 23, 2009 12:25 am
85 later messages

Subject:	Re: [xri] Thoughts on XRD-to-resource cardinality
From:	John Bradley (jbra...@mac.com)
Date:	Jan 28, 2009 8:31:38 am
List:	org.oasis-open.lists.xri

George,

On your example I don't quite get why theboot.org needs to do anything special to delegate its RP functionality. Yes it needs to have the correct return to URI in the site XRD as it needs to now in its XRDS.

I don't see any requirement to add link headers to all the pages unless we are talking about some sort of identity in the browser application.

Are you talking about theboot.org providing OP services to its users via there home pages and delegating that to a third party?

I see that as being the use case for delegating the XRD while still wanting to maintain https://theboot.com/user as the openID claimed ID.

=jbradley

On 28-Jan-09, at 1:09 PM, George Fletcher wrote:

I too am trying to work through the trust issues with HTTP resolution. I'm interested in how the DNS trust profile can help. Here is a concrete (though hypothetical) use case...

-------- A web site (theboot.com; country music content site) supports OpenID authentication via a delegated service implementing the OpenID Relying Party support. The web site also supports OAuth access to a user's comments and favorite music lists created as part of the site.

To Brian's point on the conf call, theboot.com doesn't want to generate XRD's for every resource on the site so uses the Link header mechanism to specify a "uncommitted" XRD for the entire site. In this "uncommitted" XRD there is neither a CanonicalID or EquivID element because neither make sense. (Note that this may be better solved with /site-meta. Maybe the Link header could point directly to the site-meta with a different rel= value?).

The XRD references related resources for OpenID authentication, OAuth endpoints and maybe the IdentityInTheBrowser endpoints.

---------

As an invoker of services at this web site, I'd like to know with some assurance that the XRD pointed at by the Link header is "authoritative" for the URI used to discover it. Even if the XRD is signed, the Consumer doesn't have any way to determine if that signer is authoritative for the initial URI.

Would it make sense to allow for an optional <TrustURIMap> element in the XRD that establishes some level of trust by requiring that both the initial resource URI and the signing Subject/SubjectAltName match the <TrustURIMap>?

If "trust" is not required or supported by the site, then the <TrustURIMap> would not be present and the Consumer would need to determine what to do. Determining whether the <TrustURIMap> is "specific" enough to provide a reasonable level of trust is out of scope for the spec and must be determined by the Consumer.

Peter Davis wrote:

this approach makes sense to me. On the trust profile topic, however, it's not clear to me how, in HTTP resolution mode, we can establish any bonding between the resource identifier and the XRD signing key.

Having said that, I am preparing to publish my DNS trust profile, which might ease this situation. I'll drop a note on the list when I've got it written up on the wiki.

=peterd

On Jan 28, 2009, at 1:21 AM, Eran Hammer-Lahav wrote:

This is an interesting idea but I am not sure we need to go this far. Brian, Breno, Dirk, and I had an interesting conversation about > this today.

Ignoring the theoretical ideas and focusing on actual use cases, we > have some clear requirements:

1. Allow multiple resources to point (link) to a single XRD (with a > single URI). 2. Allow an XRD to clearly state its subject. 3. Allow an XRD to establish its authority (via trust) to make > claims about its subject. 4. Allow an XRD to declare how a set of URIs relate to each other (equiv, canonical, etc).

There is no clear use case for an XRD to:

5. Allow an XRD to state multiple subjects, unrelated to one another. 6. Allow multiple entities (certificates) to sing a single XRD.

---

Here is how each can be addressed. Define the following XRD-level elements (straw man names):

CanonicalURI - the canonical identifier of the XRD subject resource > (0 or 1). EquivURI - an alias of the subject resource, a different URI to the > same resource (0 or more).

1. While resources can share any XRD, even with a stated subject,

it > will probably fail trust verification in most applications if the > URI being discovered is not listed in one of the two URI elements > above. I think we should name the kind of XRD that has no URI > subject declared internally, and has its subject derived from the > URI being discovered pointing to it. A sort of "uncommitted" XRD.

2. The XRD can use any combination of the URI elements to declare its subject. Usually if it contains a single URI, it will use the CanonicalURI, and if more than one, it can have one canonical and many equiv, or just many equiv without clearly choosing a canonical.

3. To make trust simple enough, there has to be a connection

between > the XRD subject and the subject of the certificate used to sign it. > In theory, any one of the URIs can be signed, including an non-

canonical one. But usually the canonical URI will be the one signed.

4. The clear meaning of the two URI elements allow declaring how multiple URI relate to one another, while the XRD describes a single > resource.

---

This approach simply adds to what we have today the explicit

ability > to not state the subject of an XRD, and allow such uncommitted > descriptor to be used by multiple resources.

We should discuss the elements names (I am not against the

current > ___ID elements, but they don't translate well to the non- identity > use cases, even if the ID maps to the I in URI...), as well as more > such URI relationships at the XRD level.

EHL

-----Original Message----- From: Drummond Reed [mailto:drum...@cordance.net] Sent: Tuesday, January 27, 2009 10:00 PM To: 'XRI TC' Subject: [xri] Thoughts on XRD-to-resource cardinality

I will be offline Thursday and Friday travelling to a memorial, so I want to contribute here on the list to advance today's discussion about XRD-to-resource mapping (http://wiki.oasis-open.org/xri/SelfServeAgenda#head- a4044b7035eb441c2674549 d07ccaf27daed8970).

As I said on the call, the concept of a one-to-many mapping between >> an XRD and the resources it describes is a mind-expander for those of us who have been living a one-XRD-to-one-resource worldview for a few years now. But the use case -- being able to get and cache one XRD to describe >> potentially a very large number of resources (such as an entire site) is >> compelling.

Under a one-to-many mapping, I believe Eran's right that the >> concept of asserting a synonym (not just CanonicalID but any synonym) pretty >> much goes away. The only synonym assertion I could see providing is some form >> of aliasing template that would apply to the URIs of all the described resources (e.g., every that maps to the http://foo.example.com/* template can all be mapped to the http://bar.example.com/* template).

But that appears to be of limited use, and probably not appropriate >> for assigning CanonicalIDs (which is usually a mapping from a >> reassignable to a persistent identifier).

But the rest of the XRD metadata and Link metadata still seems appropriate, i.e., it applies as much to an individual resource (one-to-one mapping) as it does to a group of resources (one-to-many mapping).

So what I'm wondering is if maybe there should be a clear way of indicating the cardinality of the XRD. In other words, a child element of the >> root XRD element that indicates whether it is it an individual XRD (one- to-one mapping) or a group XRD (one-to-many mapping).

If there was a choice between two mutually exclusive options for that child element, then all the other elements that are appropriate only for >> one or the other (CanonicalID, EquivID, URIMap, etc.) could follow as children of that element.

Here's a simple example using the element names <Resource> and <ResourceGroup>:

INDIVIDUAL XRD:

<XRD> <Expires>2009-01-01T08:30:00Z</Expires> <Resource> <CanonicalID>http://example.com/resource/1</CanonicalID> <EquivID>http://example.net/resource/1</EquivID> </Resource> <Type>http://example.com/type/profile_photo</Type>

<Link> <URI>http://example.com/resource/2</URI> <Rel>http://example.com/rel/profile</Rel> </Link> </XRD>

GROUP XRD:

<XRD> <Expires>2009-01-01T08:30:00Z</Expires> <ResourceGroup> <URIMap>http://example.com/resource/*</URIMap> </ResourceGroup> <Type>http://example.com/type/photos</Type>

<Link> <URI>http://example.com/service/1</URI> <Rel>http://example.com/rel/some-group-service</Rel> </Link> </XRD>

Thoughts?

=Drummond

To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/ my_workgroups.php

Peter Davis: NeuStar, Inc. Director & Distinguished Member of the Technical Staff 45980 Center Oak Plaza Sterling, VA 20166 [T] +1 571 434 5516 [E] pete...@neustar.biz [W] http://www.neustar.biz/ [X] xri://@neustar*pdavis [X] xri://=peterd The information contained in this e-mail message is intended only for the use of the recipient(s) named above and may contain confidential and/or privileged information. If you are not the intended recipient you have received this e-mail message in error and any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately and delete the original message.

	Start a set with this search
	Include this search in one of my sets
	Exclude this search from one of my sets