tag:blogger.com,1999:blog-11741871.post8095830958774626838..comments2023-07-27T08:28:30.060-07:00Comments on The Tao of XDI: More on Claims and XRDS=andy.dalehttp://www.blogger.com/profile/15224884476207310779noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-11741871.post-38409309336422983922008-04-19T06:44:00.000-07:002008-04-19T06:44:00.000-07:00You control a URL, in this case a blog.... You wan...You control a URL, in this case a blog.... You want to assert a relationship with an XRDS. You need to provide a way for a 3rd party to 'discover' or 'request' that XRDS ownership assertion from your url... right?<BR/><BR/>You could: <BR/>1) Use a rel tag in the blog page<BR/>2) use some micro-format on the page<BR/>3) embed SAML in your page<BR/><BR/>BUT <BR/><BR/>I think there is a well defined way to find an XRDS from a url... yadis. <BR/><BR/>The fact that yadis discovery on the a URL resolves to an XRDS IS a claim by the service provider of 'ownership' or 'association'.<BR/><BR/>A 3rd party who wants to ask the blog if there is an associated XRDS for this blog (or blog owner) simply initiates yadis discovery on the blog url... If they get back an XRDS... The answer is 'Yes, this one' if no XRDS is discovered then the answer is no.=andy.dalehttps://www.blogger.com/profile/15224884476207310779noreply@blogger.comtag:blogger.com,1999:blog-11741871.post-11547846779733771772008-04-18T09:11:00.000-07:002008-04-18T09:11:00.000-07:00> Am I helping yet?Errr.. Not really...Let me rest...> Am I helping yet?<BR/>Errr.. Not really...<BR/><BR/>Let me restate the problem:<BR/>Given: <BR/>a) I run a blog hosting service and host a blog for =bobwyman<BR/>b) One or more XRDS files exist which point to =bobwyman's blog. Only one of these XRDS files is "owned" by =bobwyman.<BR/>c) Pointing to =bobwyman's blog from an XRDS file is, in this case, considered the equivalent of claiming a binding between the blog and the owner of the XRDS file. <BR/><BR/>Problem: <BR/>When asked, I want to be able to say about an XRDS file that: "This XRDS file, which points to =bobwyman's blog, is, or is not, known to me to be owned by the person for whom I believe I am hosting the blog. (i.e. =bobwyman)"<BR/><BR/>What I am trying to do here is provide third-party verification of assertions in XRDS files.<BR/><BR/>bob wymanAnonymoushttps://www.blogger.com/profile/09394365216950330549noreply@blogger.comtag:blogger.com,1999:blog-11741871.post-33488822846754925652008-04-18T07:37:00.000-07:002008-04-18T07:37:00.000-07:00Sorry, I new I wasn't being clear even as I posted...Sorry, I new I wasn't being clear even as I posted that last comment...<BR/><BR/>There is only one XRDS. The 'owner' of the XRDS and their IDP are the ONLY entities able to edit that XRDS. The individual better trust his IDP or he's got deeper problems.<BR/><BR/>The 'poof' is based on a statement in the XRDS that any given uri (xri,url) is 'about me'. That statement needs to be put in the XRDS once and acts as a proof that 'someone with the credentials to edit this XRDS has stated this relationship' <BR/><BR/>The blog is basically just pointing at that proof in the persons XRDS. We explored a bunch of different ways for a 'blog' (random web page) to 'point' at an XRDS... should it use a rel tag? a microformat? a microID? etc... We realized that there is already a spec for 'discovering' an XRDS from a uri... yadis. That doesn't mean that the uri is authoritative for the XRDS just that it is pointing at it.<BR/><BR/>Am I helping yet?=andy.dalehttps://www.blogger.com/profile/15224884476207310779noreply@blogger.comtag:blogger.com,1999:blog-11741871.post-56831945587680850862008-04-18T06:56:00.000-07:002008-04-18T06:56:00.000-07:00If there is only one XRDS file in play and "proofs...If there is only one XRDS file in play and "proofs" are recorded as edits to that single file, then it seems that anyone who has write access to the file can forge any proofs. <BR/>As a reader of the XRDS file, I would have no idea who had authored which lines in the file. Thus, I wouldn't be able to rely on any statements made within it.<BR/><BR/>bob wymanAnonymoushttps://www.blogger.com/profile/09394365216950330549noreply@blogger.comtag:blogger.com,1999:blog-11741871.post-68424745756548634672008-04-17T08:03:00.000-07:002008-04-17T08:03:00.000-07:00My understanding of this is that there is only 1 X...My understanding of this is that there is only 1 XRDS in play here. The 'blog' wants to specify that the 'owner' of this blog is also the 'owner' of 'this' XRDS. The XRDS that is returned by yadis discovery is the same as the one returned by yadis discovery of the same persons OpenID. In the OpenID case the user 'proves' ownership by providing credentials to the OP. In the blog case the owner 'proves' control of the XRDS by editing the XRDS to include a pointer to the blog.<BR/><BR/>Does that make sense?=andy.dalehttps://www.blogger.com/profile/15224884476207310779noreply@blogger.comtag:blogger.com,1999:blog-11741871.post-13362612994762589372008-04-17T07:31:00.000-07:002008-04-17T07:31:00.000-07:00In use case 1: I can understand why the EquivID wo...In use case 1: I can understand why the EquivID would need to be in the XRDS returned by the Yadis discover process at the blog hosting site (which is being used to verify the claim in the original XRDS file) since that Yadis system would being saying: "I think this XRDS file is equivalent to the one you asked about...." But I don't understand why an EquivID would need to be in the XRDS file that is being verified. Or, perhaps I misunderstood what you wrote...<BR/><BR/>bob wymanAnonymoushttps://www.blogger.com/profile/09394365216950330549noreply@blogger.com