RE: XRI vote aftermath from Drummond Reed on 2008-06-10 (www-tag@w3.org from June 2008)

From: Drummond Reed <drummond.reed@cordance.net>
Date: Mon, 9 Jun 2008 18:28:44 -0700
To: "'Mark Baker'" <distobj@acm.org>
Cc: <www-tag@w3.org>
Message-ID: <049d01c8ca99$536e1730$0800a8c0@ELROND>

Hi Mark,

> Monday, June 09, 2008 11:33 AM, Mark Baker wrote:
> 
> Hi Drummond,
> 
> On Mon, Jun 9, 2008 at 12:07 PM, Drummond Reed
> <drummond.reed@cordance.net> wrote:
> > Mark,
> >
> > Of course you are right, any URI is an identifier, and can be used to
> > identify a resource regardless of protocol or interaction method.
> However
> > URIs whose schemes are protocols or interaction methods (e.g., http:,
> > https:, ftp:, mailto:) tend to create confusion if either: a) the
> resource
> > is completely abstract and thus not available over that protocol, or b)
> the
> > resource is accessed over other protocols.
> 
> I agree that sometimes confusion results, but that's a brain problem.
> I've yet to see it cause an interoperability problem 8-)

When it comes to security, a brain problem is an interoperability problem.
Kim Cameron discusses this in Law 6 and Law 7 of his "Laws of Identity" [1].

> > Of particular concern is how you establish synonymity of identifiers
> across
> > multiple protocols (i.e., prove the identifiers identify the same target
> > resource) if the identifier indicates a specific protocol. Here's a
> > practical example: as explained in [1], the editors of OpenID
> Authentication
> > 2.0 [2] found that, as much as they wanted to, they could not specify
> that
> > http: and https: URIs that were equivalent in all respects except the
> scheme
> > identified the same resource. So the OpenID Authentication 2.0 spec
> requires
> > OpenID relying parties to default partially-typed OpenID URLs (e.g.,
> > user.openidprovider.com or opidprovider.com/user) to http: URIs. This
> means
> > OpenID users who want the higher security of using an https: URI (as
> > recommended by the spec) must type the entire string beginning with
> > "https:", which is widely acknowledged as a usability issue.
> 
> The OpenID editors were right not to make assumptions about http and
> https URI equivalence.  But couldn't the http/https synonym problem be
> solved by a publisher establishing a redirect from an http URI to an
> https URI?

It is that redirect which can be compromised by an attacker. The OpenID
Authentication 2.0 spec acknowledges that the strongest security is when the
OpenID relying party begins with an https URI; this is something all XRI
users of OpenID can enjoy without any additional knowledge or effort.

Best,

=Drummond 

[1] http://www.identityblog.com/stories/2004/12/09/thelaws.html

Received on Tuesday, 10 June 2008 01:29:37 UTC