RE: Origin vs Authority; use of HTTPS (draft-nottingham-site-meta-01) from Eran Hammer-Lahav on 2009-02-11 (www-talk@w3.org from January to February 2009)

From: Eran Hammer-Lahav <eran@hueniverse.com>
Date: Wed, 11 Feb 2009 00:37:54 -0700
To: "www-talk@w3.org" <www-talk@w3.org>
Message-ID: <90C41DD21FB7C64BB94121FBBC2E7234127C939CBF@P3PW5EX1MB01.EX1.SECURESERVER.NET>

> -----Original Message-----
> From: Mark Nottingham [mailto:mnot@yahoo-inc.com]
> Sent: Tuesday, February 10, 2009 4:31 PM
>
> My understanding of the discussion's resolution was that this is not a
> goal for this spec any more; i.e., if there's any boundary-hopping, it
> will be defined by the protocol or application in use.

The only use case for finding out information about email addresses through host-meta is no longer in consideration. It was dropped mostly due to the fact that mailto URIs do not have an authority which means in order to go from a mailto URI to a host-meta authority, one has to write special handling specific for that URI scheme. This is not something we wanted to do in either host-meta or the discovery spec [1].

If the OpenID community wants to support email identifiers, they should find a way to address that at the application level, including dealing with all the authority and security issues it raises.

> I'm happy to clarify this by either adding scheme/protocol to the
> (host, port) tuple (although we'll probably have to come up with a
> different term than "authority"; PLEASE don't say "endpoint" ;), which
> will affect both the default scoping of application as well as the
> discovery mechanism, or just limiting it to discovery.

First, scheme is incorrect here as the scheme does not always determine a specific protocol (see 'http' is not just for HTTP saga). There are two ways in which a host-meta file can be obtained:

1. Given a host/port/protocol, the client can connect to the host/port and speak the protocol to obtain the resource /host-meta.

2. Given a URI, the client can connect to the host/port of the URI authority, speak the implied protocol from the URI scheme, and ask for the /host-meta resource. The resulting document is scoped for the host/port/protocol used.

Now, if someone had a mailto: URI, they could decide that for that application (which is likely to be an HTTP application) they are going to use the HTTP protocol with the domain name (and default port 80) of the email address. But again, that is outside the scope of our effort.

EHL

Received on Wednesday, 11 February 2009 07:38:47 UTC