openxri-users — Discussion for users of OpenXRI software

Re: [Openxri-users] still alive?

[Markus S. <mar...@gm...>]

Hello Sandor,

There hasn't been any (significant) development on OpenXRI in years, mostly
because its purpose and functionality have been superceded by XDI:
https://www.oasis-open.org/committees/xdi/

There is still a working registry of XRI identifiers (nowadays called
"cloud names"), and there is still a working resolution service that can be
used with OpenXRI. And you can still use the OpenXRI server to manage your
own XRI identifiers.
So while we're not advancing OpenXRI anymore, it is a stable implementation
of XRI Resolution 2.0
http://docs.oasis-open.org/xri/2.0/specs/xri-resolution-V2.0.html

So you might be able to use it for your purposes just fine.
Or you might want to look at XDI instead, and its implementation XDI2:
http://xdi2.org/

Looking at your e-mail address, are you in Vienna?
If so, we could meet up some time in mid-end April.

hope this helps,
Markus


On Tue, Mar 24, 2015 at 4:49 PM, Sandor Kopacsi, PhD <
san...@un...> wrote:

> Dear list members,
> I found OpenXRI project on the Web and I am interested in if it is still
> alive, or is there anyone who is using the results.
> I am taking part in the development of an archiving system, where we are
> considering if XRI and OpenXRI would be suitable.
> Looking forward to hearing from you soon.
> Best Regards,
> Sandor
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Openxri-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxri-users
>

[Openxri-users] still alive?

[Sandor K. P. <san...@un...>]

Dear list members,
I found OpenXRI project on the Web and I am interested in if it is still 
alive, or is there anyone who is using the results.
I am taking part in the development of an archiving system, where we are 
considering if XRI and OpenXRI would be suitable.
Looking forward to hearing from you soon.
Best Regards,
Sandor

Re: [Openxri-users] XRI 3.0 parsing with OpenXRI

[Markus S. <mar...@gm...>]

OpenXRI and XDI2 users,

I re-created the XRI 3.0 parser <http://openxri.org/syntax.html> using a
recent version of aParse <http://www.parse2.com> (version 2.2).
This replaces the five year old XRI 3.0 parser that had been created with
aParse version 0.5.

I do not know if the improvements of aParse have any effect on the XRI 3.0
parser, e.g. bug fixes or improved performace.
But all the unit tests of both OpenXRI and XDI2 are passing just fine, so I
assume it's a good thing to have an updated version.

I also created a simple web interface to the parser:
http://xdi2.projectdanube.org/XRIParser

Markus

On Thu, Oct 18, 2012 at 9:34 PM, Drummond Reed <dru...@co...> wrote:

> Awesome info, Markus. Thanks - we may start getting a lot more questions
> about this soon as folks start looking at using XDI2 commercially.
>
> =Drummond
>
>
> On Thu, Oct 18, 2012 at 12:08 PM, Markus Sabadello <
> mar...@gm...> wrote:
>
>> The tool I used in 2007 is called "aParse" (it even mentions XRI in the
>> "Examples" section of its website):
>> http://www.parse2.com/
>>
>> Oh, apparently it's still being maintained!
>> So maybe I should re-create the OpenXRI parser with a more recent version
>> of aParse.
>>
>> Here's the home of the OpenXRI syntax library, which is used by both XDI2
>> and OX:
>> http://openxri.org/syntax.html
>>
>> Here's the ABNF I used as input back then, together with a few notes:
>>
>> http://openxri.svn.sourceforge.net/viewvc/openxri/openxri4j/trunk/openxri-syntax/src/main/resources/xri-draft19.abnf?revision=496&view=markup
>>
>> A web-based deployment of the parser is here:
>> http://freexri.com/tools/XRIInspector3/
>>
>> Markus
>>
>>
>

[Openxri-users] XRI 3.0 parsing with OpenXRI

[Markus S. <mar...@gm...>]

The tool I used in 2007 is called "aParse" (it even mentions XRI in the
"Examples" section of its website):
http://www.parse2.com/

Oh, apparently it's still being maintained!
So maybe I should re-create the OpenXRI parser with a more recent version
of aParse.

Here's the home of the OpenXRI syntax library, which is used by both XDI2
and OX:
http://openxri.org/syntax.html

Here's the ABNF I used as input back then, together with a few notes:
http://openxri.svn.sourceforge.net/viewvc/openxri/openxri4j/trunk/openxri-syntax/src/main/resources/xri-draft19.abnf?revision=496&view=markup

A web-based deployment of the parser is here:
http://freexri.com/tools/XRIInspector3/

Markus

[Openxri-users] (no subject)

[Peter W. <ho...@ms...>]

http://www.volvoklub.cz/wp-content/plugins/mm-forms-community/upload/temp/google.html
 		 	   		  

[Openxri-users] xri2xrd.net and xri2swd.net

[Markus S. <mar...@xd...>]

Hello,

FYI in OpenXRI there are now 2 "discovery mapping" services:

- http://xri2xrd.net ... Maps XRI resolution to XRD and therefore makes it
compatible with Webfinger and OStatus.. This has been used by Project Danube
to achieve the SWAT0 interoperability with status.net and other Federated
Social Web implementations.
- http://xri2swd.net ... Maps XRI resolution to SWD and therefore makes it
compatible with OpenID Connect Discovery. Actually this isn't quite true
(yet), because for SWD you need TLS, and there's no certificate for this
service (yet).

Markus

[Openxri-users] xri2xrd.net

[Markus S. <mar...@gm...>]

Hello XRI TC, OpenXRI list,

I set up an experimental service that maps the XRDS format currently used by
XRI Resolution [1] to the XRD format [2].

E.g. try this: http://xri2xrd.net/=markus

You will get:

<XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0">
<Subject>http://xri.net/=!91F2.8153.F600.AE24</Subject>
<Alias>http://xri.net/=markus</Alias>
<Link  rel="http://openid.net/signon/1.0" href="
https://authn.fullxri.com/authentication/" />
<Link  rel="http://specs.openid.net/auth/2.0/signon" href="
https://authn.fullxri.com/authentication/" />
<Link  rel="xri://+i-service*(+contact)*($v*1.0)" href="
http://contact.fullxri.com/contact/" />
<Link  rel="xri://+i-service*(+forwarding)*($v*1.0)" href="
http://forwarding.fullxri.com/forwarding/" />
<Link  rel="xri://$res*auth*($v*2.0)" href="
http://resolve.fullxri.com/ns/=markus/" type="application/xrds+xml" />
<Link  rel="xri://$res*auth*($v*2.0)" href="
https://resolve.fullxri.com/ns/=markus/" type="application/xrds+xml" />
<Link  rel="xri://$xdi!($v!1)" href="
https://xdi.fullxri.com/=!91F2.8153.F600.AE24<https://xdi.fullxri.com/=%2191F2.8153.F600.AE24>"
/>
<Link  rel="xri://$res*auth*($v*2.0)" href="
https://resolve.freexri.com/ns/=web/" type="application/xrds+xml" />
<Link  rel="xri://$res*auth*($v*2.0)" href="
http://resolve.freexri.com/ns/=web/" type="application/xrds+xml" />
<Link  rel="xri://+i-service*(+busy)*($v*1.0)" href="
http://www.busystatus.com/iservice/" />
<Link  rel="magic-public-key"
href="data:application/magic-public-key,RSA.iXT0Icgj-FwyP-Ji5z1ud7vWnWHKRwLXaVPuMlV5AcwjlhlF8qK9l55Ybni6WQxVpPXUqIJuMPVZbB-N0MKxl7cpKaMIshbn-mmXMYyONn_cT0PlfVwJgoiGjmndb1T3elIjvALBKgtt--QHUi8qhBEN3_TiD_mJa9-foZcnNE0=.AQAB"
/>
</XRD>

The mapping is lossy, i.e. not all of the XRDS semantics are completely
carried over to XRD.
If you have thoughts/comments about the mapping, please let me know.

A tool like this can be useful to make i-names compatible with discovery
mechanisms such as LRDD and Webfinger.

The code for the xri2xrd tool has been contributed to OpenXRI.

Markus

[1]
http://www.oasis-open.org/committees/download.php/27432/xri-resolution-V2.0-cd-02-rv-04.pdf
[2] http://docs.oasis-open.org/xri/xrd/v1.0/xrd-1.0.html

Re: [Openxri-users] OpenXRI 1.2.1 released

[Drummond R. <dru...@co...>]

Markus, awesome. Thanks for pushing this out.

=Drummond

On Wed, Jun 16, 2010 at 1:48 PM, Markus Sabadello
<mar...@xd...>wrote:

> Hello,
>
> OpenXRI version 1.2.1 is now available. This maintenance release contains
> the following improvements:
> - Caching support in the resolver client by Wil. Caching can be configured
> in various ways and works on a per-subsegment level. E.g. if you resolve
> =web*markus and then =web*someone, then XRD for =web should already be
> cached. Caching takes into account the relevant HTTP headers as well as the
> XRD <Expires> element.
> - Improved web admin interface for the server. It is now easier to set up
> new "root namespaces" for the OpenXRI server as well as to find existing
> authorities via the convenient "Quick Authority Lookup" box. Also there are
> some bugfixes related to the authority graph diagrams. A live deployment of
> this web admin interface is available at http://admin.testxri.com/.
> - Some smaller bugfixes and improvements in the client and server.
>
> All the changes should be fully backwards compatible with the previous
> version.
>
> You can download 1.2.1 from Sourceforge (
> http://sourceforge.net/projects/openxri/). It will take a few more days
> for the new version to be available via Maven, then you can reference e.g.
> the client like this in your project:
>
>         <dependency>
>             <groupId>org.openxri</groupId>
>             <artifactId>openxri-client</artifactId>
>             <version>1.2.1</version>
>         </dependency>
>
> The main site with links to all the important places is here:
> http://openxri.org/
>
> Have fun
> Markus
>
>

[Openxri-users] OpenXRI 1.2.1 released

[Markus S. <mar...@xd...>]

Hello,

OpenXRI version 1.2.1 is now available. This maintenance release contains
the following improvements:
- Caching support in the resolver client by Wil. Caching can be configured
in various ways and works on a per-subsegment level. E.g. if you resolve
=web*markus and then =web*someone, then XRD for =web should already be
cached. Caching takes into account the relevant HTTP headers as well as the
XRD <Expires> element.
- Improved web admin interface for the server. It is now easier to set up
new "root namespaces" for the OpenXRI server as well as to find existing
authorities via the convenient "Quick Authority Lookup" box. Also there are
some bugfixes related to the authority graph diagrams. A live deployment of
this web admin interface is available at http://admin.testxri.com/.
- Some smaller bugfixes and improvements in the client and server.

All the changes should be fully backwards compatible with the previous
version.

You can download 1.2.1 from Sourceforge (
http://sourceforge.net/projects/openxri/). It will take a few more days for
the new version to be available via Maven, then you can reference e.g. the
client like this in your project:

        <dependency>
            <groupId>org.openxri</groupId>
            <artifactId>openxri-client</artifactId>
            <version>1.2.1</version>
        </dependency>

The main site with links to all the important places is here:
http://openxri.org/

Have fun
Markus

Re: [Openxri-users] FW: xrd 1.0

[Will N. <wi...@wi...>]

For right now, I know I'm planning on including the following basic  
functionality in the OpenXRD library:
   - XML marshalling and unmarshalling (provided by the XMLTooling  
library, which was developed as part of OpenSAML)
   - Message signing and signature verification
   - Discovery of XRD documents.  The default configuration will  
likely use the discovery methods defined by LRDD (HTML <link> element,  
HTTP response Link header, Host Meta).  Other discovery methods (such  
as DNS) can be registered as well.
   - Selection of a linked resource based on a specified criteria
   - Processing of URITemplates using registered template dictionaries

I haven't yet worked out how much of the trust logic should be in the  
library.  I suspect that will depend on what XRD Trust profiles look  
like once we get them written.  Very likely there will be  
implementations of the most common approaches provided, but in a way  
that others can be easily used.  The fact that we're using XMLTooling  
for all of the XML handling may be enough of a deal breaker for  
OpenXRI, I don't know.

Peter, what "Shibboleth ideas for security infrastructure management"  
is it that you are referring to that you don't want?  Is this  
something in OpenSAML that you've run in to previously?


Given that XRD is still a moving target (especially the processing  
rules that have been in flux the last week), I've actually halted  
development on the library until things settle down a bit so I can  
focus on some other things.  You can see what has been implemented  
thus far at:

http://svn.middleware.georgetown.edu/view/java-openxrd/trunk/

The unit tests will probably be the most useful for seeing how things  
are expected to be used.

-will


On Sep 20, 2009, at 9:48 AM, Peter Williams wrote:

> That aligns largely with my thinking, except that I assume an better  
> XRD
> interface should allow different runtime libraries to be plugged in.
> Reference libraries serve standards communities, but not user  
> communities
> (as they typically stifle application, as the committee struggles to  
> get
> consensus on funamentals).
>
>
>
> Im simply treating the XRD 1.0 format as a marshalling issue. And,  
> of course
> one can have different serializations of the XRD type. During  
> serialization
> of types to a wire format (e.g. XML), various signing and encryption  
> scheme
> are performed - applying the commonly undertood art from the world  
> of signed
> ASN.1 types (that have long spit out XML, as well as DER, PER, etc)
>
>
>
> The question is, will that "reference" library come loaded with
> Shibboleth/Internet2 conceptions of configuration, key management,  
> crypto,
> etc.
>
>
>
> If so - and assuming its loaded full of all the usual Shibboleth  
> ideas for
> security infrastructure management - I don't want it.
>
>
>
> I just want to marshall the current XRD type using the new bit  
> format. Does
> it need to be any bigger any issue than that?
>
>
>
> From: mar...@gm... [mailto:mar...@gm...]  
> On
> Behalf Of Markus Sabadello
> Sent: Sunday, September 20, 2009 3:55 AM
> To: Wil Tan
> Cc: Peter Williams; ope...@li...; Will Norris
> Subject: Re: [Openxri-users] FW: xrd 1.0
>
>
>
> I know that Will Norris who is most active on the XRI TC is planning a
> reference implementation of XRD 1.0.
>
> I don't know the current state of this, but I think it would be
> straightforward that we at OpenXRI then use his library instead of
> implementing XRD ourselves..
>
> Markus
>
> On Sun, Sep 20, 2009 at 4:31 AM, Wil Tan <dr...@gm...> wrote:
>
> Streams, as in, a sequence of documents, or a sequence of nodes in a
> document that is unending?
>
>
>
> It would be good to get the various parts of OpenXRI ready for XRD  
> 1.0 (if
> they aren't already.)
>
>
>
> =wil
>
> On Sun, Sep 20, 2009 at 11:00 AM, Peter Williams <ho...@ms...>  
> wrote:
>
> I built myself a responder that can produce xrd 1.0 (draft) streams.
>
>
>
> How might we in this community include and explore such code?
>
> Do we want to?
>
> Do our sponsors want this public?
>
>
>
> How might we allow folks to explore this, either in source or binary
> distiution?

Re: [Openxri-users] FW: xrd 1.0

[Peter W. <ho...@ms...>]

So I'm in two minds about the opensaml tooling lib

Upgrading the whole type system for xrd in openxri to that lib is the  
right thing to do. Higher assurance requires formal methods, and  
secure type systems - where access and export constraints are enforced  
in such as a tooling lib. Proofs from info flow theory are possible,  
once one has a decent type system in charge.

What I didn't like about that particular lib was it's  philosophy for  
security service integration - as values are handled at the protection  
boundary. It's all fine as research, but not for folks mired in legacy  
infrastructure.




On Sep 21, 2009, at 11:25 AM, Will Norris <wi...@wi...> wrote:

> For right now, I know I'm planning on including the following basic  
> functionality in the OpenXRD library:
>  - XML marshalling and unmarshalling (provided by the XMLTooling  
> library, which was developed as part of OpenSAML)
>  - Message signing and signature verification
>  - Discovery of XRD documents.  The default configuration will  
> likely use the discovery methods defined by LRDD (HTML <link>  
> element, HTTP response Link header, Host Meta).  Other discovery  
> methods (such as DNS) can be registered as well.
>  - Selection of a linked resource based on a specified criteria
>  - Processing of URITemplates using registered template dictionaries
>
> I haven't yet worked out how much of the trust logic should be in  
> the library.  I suspect that will depend on what XRD Trust profiles  
> look like once we get them written.  Very likely there will be  
> implementations of the most common approaches provided, but in a way  
> that others can be easily used.  The fact that we're using  
> XMLTooling for all of the XML handling may be enough of a deal  
> breaker for OpenXRI, I don't know.
>
> Peter, what "Shibboleth ideas for security infrastructure  
> management" is it that you are referring to that you don't want?  Is  
> this something in OpenSAML that you've run in to previously?
>
>
> Given that XRD is still a moving target (especially the processing  
> rules that have been in flux the last week), I've actually halted  
> development on the library until things settle down a bit so I can  
> focus on some other things.  You can see what has been implemented  
> thus far at:
>
> http://svn.middleware.georgetown.edu/view/java-openxrd/trunk/
>
> The unit tests will probably be the most useful for seeing how  
> things are expected to be used.
>
> -will
>
>
> On Sep 20, 2009, at 9:48 AM, Peter Williams wrote:
>
>> That aligns largely with my thinking, except that I assume an  
>> better XRD
>> interface should allow different runtime libraries to be plugged in.
>> Reference libraries serve standards communities, but not user  
>> communities
>> (as they typically stifle application, as the committee struggles  
>> to get
>> consensus on funamentals).
>>
>>
>>
>> Im simply treating the XRD 1.0 format as a marshalling issue. And,  
>> of course
>> one can have different serializations of the XRD type. During  
>> serialization
>> of types to a wire format (e.g. XML), various signing and  
>> encryption scheme
>> are performed - applying the commonly undertood art from the world  
>> of signed
>> ASN.1 types (that have long spit out XML, as well as DER, PER, etc)
>>
>>
>>
>> The question is, will that "reference" library come loaded with
>> Shibboleth/Internet2 conceptions of configuration, key management,  
>> crypto,
>> etc.
>>
>>
>>
>> If so - and assuming its loaded full of all the usual Shibboleth  
>> ideas for
>> security infrastructure management - I don't want it.
>>
>>
>>
>> I just want to marshall the current XRD type using the new bit  
>> format. Does
>> it need to be any bigger any issue than that?
>>
>>
>>
>> From: mar...@gm...  
>> [mailto:mar...@gm...] On
>> Behalf Of Markus Sabadello
>> Sent: Sunday, September 20, 2009 3:55 AM
>> To: Wil Tan
>> Cc: Peter Williams; ope...@li...; Will Norris
>> Subject: Re: [Openxri-users] FW: xrd 1.0
>>
>>
>>
>> I know that Will Norris who is most active on the XRI TC is  
>> planning a
>> reference implementation of XRD 1.0.
>>
>> I don't know the current state of this, but I think it would be
>> straightforward that we at OpenXRI then use his library instead of
>> implementing XRD ourselves..
>>
>> Markus
>>
>> On Sun, Sep 20, 2009 at 4:31 AM, Wil Tan <dr...@gm...> wrote:
>>
>> Streams, as in, a sequence of documents, or a sequence of nodes in a
>> document that is unending?
>>
>>
>>
>> It would be good to get the various parts of OpenXRI ready for XRD  
>> 1.0 (if
>> they aren't already.)
>>
>>
>>
>> =wil
>>
>> On Sun, Sep 20, 2009 at 11:00 AM, Peter Williams <ho...@ms...>  
>> wrote:
>>
>> I built myself a responder that can produce xrd 1.0 (draft) streams.
>>
>>
>>
>> How might we in this community include and explore such code?
>>
>> Do we want to?
>>
>> Do our sponsors want this public?
>>
>>
>>
>> How might we allow folks to explore this, either in source or binary
>> distiution?
>
>

Re: [Openxri-users] FW: xrd 1.0

[Peter W. <ho...@ms...>]

All I've done to date is the obvious (since Im an incompetent programmer).

 

I subclassed the XRD type.

 

I subclassed the AbstractServer, overriding its methods. The overridden
methods let the data layer work with XRD classes, produce a value, which I
marshall into XML and then unmarshall into my subclass.

 

My subclass serializes according to my own formats. This be a XRD 1.0
format, of course. My assumption is that there will many different profiles
of the XRD 1.0 format, and all of these should be supported as extensions
are added by various communities.

 

From: Wil Tan [mailto:dr...@gm...] 
Sent: Saturday, September 19, 2009 7:32 PM
To: Peter Williams
Cc: ope...@li...
Subject: Re: [Openxri-users] FW: xrd 1.0

 

Streams, as in, a sequence of documents, or a sequence of nodes in a
document that is unending?

 

It would be good to get the various parts of OpenXRI ready for XRD 1.0 (if
they aren't already.)

 

=wil

On Sun, Sep 20, 2009 at 11:00 AM, Peter Williams <ho...@ms...> wrote:

I built myself a responder that can produce xrd 1.0 (draft) streams.

 

How might we in this community include and explore such code?

Do we want to?

Do our sponsors want this public?

 

How might we allow folks to explore this, either in source or binary
distiution?


----------------------------------------------------------------------------
--
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Openxri-users mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openxri-users

 

Re: [Openxri-users] FW: xrd 1.0

[Peter W. <ho...@ms...>]

That aligns largely with my thinking, except that I assume an better XRD
interface should allow different runtime libraries to be plugged in.
Reference libraries serve standards communities, but not user communities
(as they typically stifle application, as the committee struggles to get
consensus on funamentals).

 

Im simply treating the XRD 1.0 format as a marshalling issue. And, of course
one can have different serializations of the XRD type. During serialization
of types to a wire format (e.g. XML), various signing and encryption scheme
are performed - applying the commonly undertood art from the world of signed
ASN.1 types (that have long spit out XML, as well as DER, PER, etc)

 

The question is, will that "reference" library come loaded with
Shibboleth/Internet2 conceptions of configuration, key management, crypto,
etc.

 

If so - and assuming its loaded full of all the usual Shibboleth ideas for
security infrastructure management - I don't want it.

 

I just want to marshall the current XRD type using the new bit format. Does
it need to be any bigger any issue than that?

 

 

 

From: mar...@gm... [mailto:mar...@gm...] On
Behalf Of Markus Sabadello
Sent: Sunday, September 20, 2009 3:55 AM
To: Wil Tan
Cc: Peter Williams; ope...@li...; Will Norris
Subject: Re: [Openxri-users] FW: xrd 1.0

 

I know that Will Norris who is most active on the XRI TC is planning a
reference implementation of XRD 1.0.

I don't know the current state of this, but I think it would be
straightforward that we at OpenXRI then use his library instead of
implementing XRD ourselves..

Markus

On Sun, Sep 20, 2009 at 4:31 AM, Wil Tan <dr...@gm...> wrote:

Streams, as in, a sequence of documents, or a sequence of nodes in a
document that is unending?

 

It would be good to get the various parts of OpenXRI ready for XRD 1.0 (if
they aren't already.)

 

=wil

On Sun, Sep 20, 2009 at 11:00 AM, Peter Williams <ho...@ms...> wrote:

I built myself a responder that can produce xrd 1.0 (draft) streams.

 

How might we in this community include and explore such code?

Do we want to?

Do our sponsors want this public?

 

How might we allow folks to explore this, either in source or binary
distiution?

 

----------------------------------------------------------------------------
--
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Openxri-users mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openxri-users

 


----------------------------------------------------------------------------
--
Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
http://p.sf.net/sfu/devconf
_______________________________________________
Openxri-users mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openxri-users

 

Re: [Openxri-users] FW: xrd 1.0

[Markus S. <mar...@xd...>]

I know that Will Norris who is most active on the XRI TC is planning a
reference implementation of XRD 1.0.

I don't know the current state of this, but I think it would be
straightforward that we at OpenXRI then use his library instead of
implementing XRD ourselves..

Markus

On Sun, Sep 20, 2009 at 4:31 AM, Wil Tan <dr...@gm...> wrote:

> Streams, as in, a sequence of documents, or a sequence of nodes in a
> document that is unending?
> It would be good to get the various parts of OpenXRI ready for XRD 1.0 (if
> they aren't already.)
>
> =wil
>
> On Sun, Sep 20, 2009 at 11:00 AM, Peter Williams <ho...@ms...> wrote:
>
>>  I built myself a responder that can produce xrd 1.0 (draft) streams.
>>
>>
>>
>> How might we in this community include and explore such code?
>>
>> Do we want to?
>>
>> Do our sponsors want this public?
>>
>>
>>
>> How might we allow folks to explore this, either in source or binary
>> distiution?
>>
>>
>> ------------------------------------------------------------------------------
>> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
>> is the only developer event you need to attend this year. Jumpstart your
>> developing skills, take BlackBerry mobile applications to market and stay
>> ahead of the curve. Join us from November 9&#45;12, 2009. Register
>> now&#33;
>> http://p.sf.net/sfu/devconf
>> _______________________________________________
>> Openxri-users mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/openxri-users
>>
>>
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> Openxri-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxri-users
>
>

Re: [Openxri-users] FW: xrd 1.0

[Wil T. <dr...@gm...>]

Streams, as in, a sequence of documents, or a sequence of nodes in a
document that is unending?
It would be good to get the various parts of OpenXRI ready for XRD 1.0 (if
they aren't already.)

=wil

On Sun, Sep 20, 2009 at 11:00 AM, Peter Williams <ho...@ms...> wrote:

>  I built myself a responder that can produce xrd 1.0 (draft) streams.
>
>
>
> How might we in this community include and explore such code?
>
> Do we want to?
>
> Do our sponsors want this public?
>
>
>
> How might we allow folks to explore this, either in source or binary
> distiution?
>
>
> ------------------------------------------------------------------------------
> Come build with us! The BlackBerry&reg; Developer Conference in SF, CA
> is the only developer event you need to attend this year. Jumpstart your
> developing skills, take BlackBerry mobile applications to market and stay
> ahead of the curve. Join us from November 9&#45;12, 2009. Register now&#33;
> http://p.sf.net/sfu/devconf
> _______________________________________________
> Openxri-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxri-users
>
>

[Openxri-users] FW: xrd 1.0

[Peter W. <ho...@ms...>]

I built myself a responder that can produce xrd 1.0 (draft) streams.

 

How might we in this community include and explore such code?

Do we want to?

Do our sponsors want this public?

 

How might we allow folks to explore this, either in source or binary
distiution?

Re: [Openxri-users] Information Card versus XRI?

[Torsten S. <tsc...@gm...>]

Drummond!

Thanks for taking the time help me a bit in my endeavor to make sense of
the identity jungle.

I have been reading that entry on your blog carefully and followed some
of the links. I had also seen the Higgins project before (asking myself
what it has to do with Eclipse, but never mind) and can't help the
feeling I may be missing something.

Now I found that I think my problem is to properly distinguish between:

a) abstract ideas or concepts
b) concrete proposed or established standards for information
representation and discovery
c) standardized protocols which would enable any interaction between
systems exchanging information represented in one of the standardized
formats
d) tangible implementations of b) and c)

You know, I currently try to get some "normal" people interested in
state of the art Internet identity subjects as the idea that you may now
want to publish all your contact information to anyone all the time just
gains attention amount the "normal public" these days as the majority of
people only start now to understand the problem of spam, identity theft
or reputation issues which may arise from too open sharing of all kinds
of personal information on the web.

I think many social networks provide some nice mechanisms how I can
control who will have access to what data in my profile there. But this
is all proprietary most of the time. So if I am in Flickr, Facebook and
LinkedIn to name a few, I need to manage in each of them separately who
is allowed to see and do what with my data and who isn't.

I hope I assume right that the idea of all this Internet identity stuff,
i.e. XRDS, XRI, OpenID, i-Card, r-Card and the like are targeted towards
providing some kind of open standard here so typical social (and other)
networking services could use this information which I edit once and
which I might want to store on a system which *I* trust, not necessarily
on any of *their* servers.

Are we in sync up to here?

If yes, what also caught my intention in your blog post was:

http://cyber.law.harvard.edu/projectvrm/Personal_Address_Manager_Service

I think this would be pretty much what I am would be looking to make
happen using XRDS, XRI, possibly an OpenXRI server and some r-Cards. For
example, I would want to be able not to give a company from which I buy
a service (Internet, mobile phone, electricity) all my contact details
but I would want to give them an r-Card which will allow them to contact
me if needed *for the duaration of the contract*. I would want to be
able to withdraw this r-Card if I decide not to buy there services any
more and I would thus be save from voice, email or printed spam. I think
this is the killer app people would be looking for, isn't it?

Now I failed so far to properly understand how such a scenario would be
implemented using an r-Card, for example. You talk in your blog about a
demo which has been done once with physical attendance and where you
have been using printed r-Cards and scissors. I can't imagine what you
had been doing there. I guess it's not on YouTube, is it?

Regards,
Torsten



Drummond Reed schrieb:
> Torsten,
> 
> My apologies - I was on vacation when you sent your message so I only just
> reached it.
> 
> There are connections between XRI and both OpenID and Information Cards. In
> the case of OpenID, XRI is one of the types of identifiers recognized in
> OpenID 2.0. In the case of Information Cards, XRIs are used for a new type
> of Information Card called a "relationship card". It's basically an
> Information Card that includes a special claim that opens up an ongoing data
> sharing channel between the two parties. See my blog post at:
> 
> 	www.equalsdrummond.name/?p=135
> 
> The other relationship is that, in part due to my being on of the founding
> directors of the Information Card Foundation (ICF), I was asked to become
> Executive Director last March and accepted. So in addition to serving as
> co-chair of the OASIS XRI and XDI Technical Committees, I also serve as
> Executive Director of the ICF.
> 
> I think even more cross-connections -- between OpenID, Information Cards,
> SAML, and XRI/XDI -- are coming in the next year, so it will be fun to see
> how it all comes together.
> 
> Hope this helps,
> 
> =Drummond 
> http://xri.net/=drummond.reed  
> 
>> -----Original Message-----
>> From: Torsten Schlabach [mailto:tsc...@gm...]
>> Sent: Wednesday, August 12, 2009 4:15 AM
>> To: ope...@li...
>> Subject: [Openxri-users] Information Card versus XRI?
>>
>> Hi!
>>
>> Can anyone tell me how XRI and http://informationcard.net/ relate? Does
>> Information Card build upon XRI?
>>
>> I noticed that a Drummond Read seems to be involved in both.
>>
>> Regards,
>> Torsten
>>
>> --------------------------------------------------------------------------
>> ----
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-
>> Day
>> trial. Simplify your report design, integration and deployment - and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Openxri-users mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/openxri-users

Re: [Openxri-users] Information Card versus XRI?

[Drummond R. <dru...@co...>]

Torsten,

My apologies - I was on vacation when you sent your message so I only just
reached it.

There are connections between XRI and both OpenID and Information Cards. In
the case of OpenID, XRI is one of the types of identifiers recognized in
OpenID 2.0. In the case of Information Cards, XRIs are used for a new type
of Information Card called a "relationship card". It's basically an
Information Card that includes a special claim that opens up an ongoing data
sharing channel between the two parties. See my blog post at:

	www.equalsdrummond.name/?p=135

The other relationship is that, in part due to my being on of the founding
directors of the Information Card Foundation (ICF), I was asked to become
Executive Director last March and accepted. So in addition to serving as
co-chair of the OASIS XRI and XDI Technical Committees, I also serve as
Executive Director of the ICF.

I think even more cross-connections -- between OpenID, Information Cards,
SAML, and XRI/XDI -- are coming in the next year, so it will be fun to see
how it all comes together.

Hope this helps,

=Drummond 
http://xri.net/=drummond.reed  

> -----Original Message-----
> From: Torsten Schlabach [mailto:tsc...@gm...]
> Sent: Wednesday, August 12, 2009 4:15 AM
> To: ope...@li...
> Subject: [Openxri-users] Information Card versus XRI?
> 
> Hi!
> 
> Can anyone tell me how XRI and http://informationcard.net/ relate? Does
> Information Card build upon XRI?
> 
> I noticed that a Drummond Read seems to be involved in both.
> 
> Regards,
> Torsten
> 
> --------------------------------------------------------------------------
> ----
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-
> Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openxri-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxri-users

Re: [Openxri-users] proxy descriptor

[Peter W. <ho...@ms...>]

and if ai put a keyinfo in that, I'm basically telling the openid consumer how to validate the signed XRDs.

 

Since a consumer is already responsible for some of synonym validation, I working on code that ensure the proxy does not change the server's originally-marshalled XRD types.

 

If the openid consumer is using the resolver API and the proxy provider, Im hoping it will follow SEP-level redirects. Thus, given the id of the consumer, different redirects will land on different target SEPs for the proxy SEP,  each with keyinfo suited to that requestor.

 

Now, I have to change the proxy code so that resigns the (verified) XRDs it receives from auth-res.

 

At that point, I essentially have a STS - where proxy protocol plays the fole of ws-trust. And, I have as many STS instances as there are proxy declarations (and redirects).

 

I hope im using the architecture the way its SUPPOSEd to be being applied, now.


 


Date: Tue, 25 Aug 2009 19:18:42 +0200
Subject: Re: [Openxri-users] proxy descriptor
From: mar...@xd...
To: ho...@ms...
CC: ope...@li...

A proxy SEP looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<Service xmlns="xri://$xrd*($v*2.0)">
 <ProviderID>__myproviderid__</ProviderID>
 <Type select="true">xri://$res*proxy*($v*2.0)</Type>
 <MediaType select="false">application/xrds+xml</MediaType>
 <MediaType select="false">application/xrd+xml</MediaType>
 <MediaType select="false">text/uri-list</MediaType>
 <URI append="none" priority="2">http://__myproxyserver__</URI>
 <URI append="none" priority="1">https://__mysecureproxyserver__</URI>
</Service>

See section 11.1 of http://www.oasis-open.org/committees/download.php/27432/xri-resolution-V2.0-cd-02-rv-04.pdf

The freexri.com UI has a few templates for common SEPs, including proxy SEPs.

I just added proxy SEPs to @freexri and @fullxri. Not sure why I haven't thought of this before.

Markus



On Tue, Aug 25, 2009 at 6:54 PM, Peter Williams <ho...@ms...> wrote:


how do I publish the availability of a proxy service?
 
(we obviously all know how to publish the authres service.)
 
 

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Openxri-users mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openxri-users

Re: [Openxri-users] proxy descriptor

[Markus S. <mar...@xd...>]

A proxy SEP looks like this:

<?xml version="1.0" encoding="UTF-8"?>
<Service xmlns="xri://$xrd*($v*2.0)">
 <ProviderID>__myproviderid__</ProviderID>
 <Type select="true">xri://$res*proxy*($v*2.0)</Type>
 <MediaType select="false">application/xrds+xml</MediaType>
 <MediaType select="false">application/xrd+xml</MediaType>
 <MediaType select="false">text/uri-list</MediaType>
 <URI append="none" priority="2">http://__myproxyserver__</URI>
 <URI append="none" priority="1">https://__mysecureproxyserver__</URI>
</Service>

See section 11.1 of
http://www.oasis-open.org/committees/download.php/27432/xri-resolution-V2.0-cd-02-rv-04.pdf

The freexri.com UI has a few templates for common SEPs, including proxy
SEPs.

I just added proxy SEPs to @freexri and @fullxri. Not sure why I haven't
thought of this before.

Markus


On Tue, Aug 25, 2009 at 6:54 PM, Peter Williams <ho...@ms...> wrote:

>  how do I publish the availability of a proxy service?
>
> (we obviously all know how to publish the authres service.)
>
>
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openxri-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxri-users
>
>

[Openxri-users] proxy descriptor

[Peter W. <ho...@ms...>]

how do I publish the availability of a proxy service?

 

(we obviously all know how to publish the authres service.)

 

 

Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com

[Peter W. <ho...@ms...>]

So here is what I don't know (analyzing maturity like a vc):

Is the baseline even complete, without saml, for the security  
enforcement model, for synonym verification

Is the caching model for signed xrd at resolver finished

If the CID is an https uri, does the spec prevail

Do the refs between I'd authorities hold for signed xrd in practice,  
enforcing delegation (for authority migration) properly

Etc etc

I'm wanting now to eval the whole story for supporting advanced trust  
networking, which is incredibly rich of course. It's almost too  
rich...and too far advanced for the market.

I wish the open src code exposed the openid I-service, so one could  
run multi-tenant ops on http mount points.you'd have a business  
winner, there.





On Aug 24, 2009, at 8:08 AM, "Peter Williams" <ho...@ms...> wrote:

> I do have some standards issues.
>
>
>
> If one gets an XRDS via an HXRI proxy, the value that is streamed is 
>  “that which has been cid-validated” (by the proxy). Given the  
> XRDS as sent is not validated (and does not make that claim), the me 
> re act of using a proxy means that the bytes in the XRDS change (to  
> represent verified=true). This is because the XRD container itself i 
> s used to convey the results of processing by an intermediary (rathe 
> r than add a SOAP header, in the ws-security model).
>
>
>
> Thus the signed elements in the  XRDS stream returned by the proxy  
> can never be re-validated, in general by such as the openid consumer.
>
>
>
> What one could do logically is exclude from signing those fields  
> that one expects the communication bearer and resolver to alter. But  
> this will require tuning the standard for the xmldsig ways of doing  
> excluding.
>
>
>
> From: Peter Williams [mailto:ho...@ms...]
> Sent: Monday, August 24, 2009 2:57 AM
> To: mar...@xd...
> Cc: ope...@li...
> Subject: Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com
>
>
>
> Things sort of work. Its all kind of half baked. But, its better  
> than it was. its very sensitive.
>
> So that we keep making progress, lets do this.
>
> consider putting the default keypair in the webapp for the admin  
> console.
> consider Adding the commented out trustedServer config to the admin  
> webapp server.xml
>
> Those 2 would mean that the "give me signed" dsecriptor will then  
> work, by default - in the server tab.
>
> to keep going on the walled garden use of XRI theme (where my  
> private server acts as a Resource STS (with OAUTH guarding access to  
> the proxy port that does the mappings)) consider applying the proxy  
> config patch attached. Feel free to improve. Ill guss that it would  
> also enhance the configurability of the xri resolver interactive  
> tool, too?
>
>
>
>
>
>
>
>
> Date: Sun, 23 Aug 2009 13:51:24 +0200
> Subject: Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com
> From: mar...@xd...
> To: ho...@ms...
> CC: ope...@li...
>
> Hello Peter, I updated freexri.com again with your latest patches,  
> and I added the following to my code:
>
>         this.resolver.addSAMLBypassAuthority("@");
>         this.resolver.addSAMLBypassAuthority("=");
>         this.resolver.addSAMLBypassAuthority("!");
>
> Now, if I enter @blog*sigtest*sigtestchild in the XRI Resolution  
> tool and turn on "SAML Trusted Resolution", I get the XRD(S) without  
> any error.
>
> Does that mean it works? :D
>
> Markus
>
> On Mon, Aug 17, 2009 at 5:48 PM, Markus Sabadello <mar...@xd... 
> > wrote:
>
> Yeah, I haven't yet updated the various freexri.com tools with your  
> latest patch. Okay, I will try to do that, and configure the  
> resolver to bypass SAML for @, = and !.
>
> No I'm not using my HTTPS cert for signing @blog*... XRDs (I may  
> have said that at some point, if so I was wrong). My cert is self  
> generated and looks like this:
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number:
>             a9:c9:f9:ca:34:55:a5:50
>         Signature Algorithm: sha1WithRSAEncryption
>         Issuer: C=AT, ST=Vienna, L=Vienna, O=@freeXRI, CN=@! 
> 7F6F.F50.A4E4.1133/emailAddress=of...@fr...
>         Validity
>             Not Before: Jul  9 12:51:58 2008 GMT
>             Not After : Jul  9 12:51:58 2028 GMT
>         Subject: C=AT, ST=Vienna, L=Vienna, O=@freeXRI, CN=@! 
> 7F6F.F50.A4E4.1133/emailAddress=of...@fr...
>
> Markus
>
>
>
> On Mon, Aug 17, 2009 at 5:32 PM, Peter Williams <ho...@ms...>  
> wrote:
>
>
> I  updated to the head.
>
> my unit test works fine, but only when still overriding the (lack  
> of) signature in @blog. The AtAuthority server is not signing @blog  
> (which makes sense, given the DOS opportunity on that root server,  
> when using only software crypto).
>
> not suprisingly, we are getting
>
> Error: Signature verification failed.
> Resolution did not complete successfully.
>
>
>
> from the xri resolution tool on the website, when setting the saml  
> request flag in the webform.
>
> can we apply the override config to that tool, for @, either in code  
> by or config?
>
>               resolver.addSAMLBypassAuthority("@"); // ignore any  
> type of SAML error when processing the XRD for @
>
> and maybe the same for equalsAuthority and BangAuthority?
>
>
>
> its possible that the root hint store of AtAuthority etc also need a  
> keyinfo, for the case that the root server's DO sign.
>
> obviously, its cert needs to that of the root servers signing key...  
> not the cert used by the freeid provider.
>
> I didnt look at the contents of your freeid cert, but recall it may  
> be the same as the https cert on freeid server?
>
> if so, beware of trust issues. The problem is that the CA probably  
> projects a relying party agreement - a license that is probably  
> incompatible with UCI. Ideally, the trust precepts of the saml  
> signing would be independent of the legacy commercial arrangements  
> found in the SSL world. Root keys and legal limits etc should depend  
> on XRI (and i-brokers policies), not on CAs.
>
>
> Date: Mon, 17 Aug 2009 12:54:19 +0200
>
>
> Subject: Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com
> From: mar...@xd...
> To: ho...@ms...
> CC: ope...@li...
>
> Hi,
>
> I changed the limit to 16384.
>
> And while doing that, I discovered that it was also my own code that  
> prevented me from putting a ds:KeyInfo into the XRD of @blog. Sorry  
> for blaming the central registry on this.
>
> See here: http://xri.net/@blog?_xrd_r=application/xrd+xml;sep=false;debug=1
>
> I guess this means you should now be able to remove your specific  
> override of the TR validity model that you put in place?
>
> Markus
>
> On Mon, Aug 17, 2009 at 2:17 AM, Peter Williams <ho...@ms...>  
> wrote:
>
>
>  can we quadrulple the 2048 char limit now on the admin tool chain  
> for freexri?
>
> I want to play now with synonyms, and services that are tied to the  
> link (SEP) vs the node (authority).
>
>
> Date: Fri, 14 Aug 2009 23:25:27 +0200
>
>
> Subject: Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com
> From: mar...@xd...
> To: ho...@ms...
> CC: ope...@li...
>
> As I said, I tried putting it into the @blog auth-res SEP, but it  
> was too large. Anyway, here it is:
>
> -----BEGIN CERTIFICATE-----
> MIIEejCCA2KgAwIBAgIJAKnJ+co0VaVQMA0GCSqGSIb3DQEBBQUAMIGEMQswCQYD
> VQQGEwJBVDEPMA0GA1UECBMGVmllbm5hMQ8wDQYDVQQHEwZWaWVubmExETAPBgNV
> BAoUCEBmcmVlWFJJMR0wGwYDVQQDFBRAITdGNkYuRjUwLkE0RTQuMTEzMzEhMB8G
> CSqGSIb3DQEJARYSb2ZmaWNlQGZyZWV4cmkuY29tMB4XDTA4MDcwOTEyNTE1OFoX
> DTI4MDcwOTEyNTE1OFowgYQxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZWaWVubmEx
> DzANBgNVBAcTBlZpZW5uYTERMA8GA1UEChQIQGZyZWVYUkkxHTAbBgNVBAMUFEAh
> N0Y2Ri5GNTAuQTRFNC4xMTMzMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAZnJlZXhy
> aS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVS2u8ry9oTT2g
> Dv04fEJLadNrmRDQlz/y57BowVzNBuMTAXcBrGBytiezvOIgcqkWKnDdz1b8w29O
> QKAOF3OEUcgtlsb6p8RYBSH6+Qh5Z1VFEymwjF4X/msRfPyGMgv+sIksdsprkK74
> KiDAkC+qnRbXPi+K8vIzpWFNKzY7CyvEV601gXCvbu6CR4vLWEnjm1rOZL95/kWO
> ylbiy/B84bUi3chituS7F0DebfFLCr/6P73Q+KRHa6hW+rOl6ICbRn/Lg9Yq0/ZM
> ScRpOHE/PXZ/wIrl4bDw6GaR3S/s3+4xs968dGgYlGiUw6ZetAOZmD7j2cHoo9Ar
> XSxPViSLAgMBAAGjgewwgekwHQYDVR0OBBYEFMD4HaZ8ZptQgRKG8wL3B77CVJhT
> MIG5BgNVHSMEgbEwga6AFMD4HaZ8ZptQgRKG8wL3B77CVJhToYGKpIGHMIGEMQsw
> CQYDVQQGEwJBVDEPMA0GA1UECBMGVmllbm5hMQ8wDQYDVQQHEwZWaWVubmExETAP
> BgNVBAoUCEBmcmVlWFJJMR0wGwYDVQQDFBRAITdGNkYuRjUwLkE0RTQuMTEzMzEh
> MB8GCSqGSIb3DQEJARYSb2ZmaWNlQGZyZWV4cmkuY29tggkAqcn5yjRVpVAwDAYD
> VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAUMEIjxWugVz47gCw/fwDAug7
> nVnyyYoVwW3YlHwBODJvPmy2fuFHHSznKs8Z+1oqEPTq98NXGbGIrojBuywTDTHp
> VPMZG4uwbRc4P3YlLWV78VU2agfC3w7VZe0wm77r+SWdIWsBwsbY1c9YT9oFgIQP
> Zr3xfsszcR+8BqUOia4J4H8ld/5VRGTEA4hYLf0okNgQH3YjC+ewX4MxJbuCL/wp
> IZVoq9YZ+ug8IvKldDpM1VkBy9Ozn6eJGZgdnOt1dvwbkvGEE/IgOjRSiWNKTxl7
> DMMOPvDQoqkwlHHcoULacIxAHTD4EOQV8IQ4ucrA1SUHMMgYMERvgJqe7Ae4DQ==
> -----END CERTIFICATE-----
>
> Sorry, I said earlier it's the same as the one I'm using for HTTPS,  
> but I was wrong. It's a self-generated one.
>
> Markus
>
> On Fri, Aug 14, 2009 at 10:43 PM, Peter Williams <ho...@ms...>  
> wrote:
>
>
>  ive got a trial setup where I can now request and obtain a sig from freexri.org 
>  provider site.
>
> the sig fails at the RSA step - meaning I dont have the right public  
> key in my root hint.
>
> can you send me the cert for the signing key, as a base64?
>
> Or just post it to the superior node (as a keyinfo in the @blog SEP  
> of the At Authority)
>
> AtAuthority itself exhibits a saml media type, but doesnt sign its  
> responses (redirecting to the freexri.org server). Udner the rules,  
> the client resolver flags this as a partialexception - signature  
> failed (since signing is mandatory, if requested).
>
> More design flaws in the std - the XRI part this time.
>
> The XRI standard can address the xmldsig part. Xmldsig does NOT  
> mandate a marshalling format. XRI should have done that. Xmldsig is  
> for document-signing as well as type-signing, and you have to  
> marshall your types into a non-whitespace format (before signing/ 
> verifying) - to get interoperability.
>
>
> Date: Fri, 14 Aug 2009 22:31:08 +0200
> Subject: Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com
>
>
> From: mar...@xd...
> To: ho...@ms...
> CC: ope...@li...
>
> see inline
>
>
> On Fri, Aug 14, 2009 at 8:48 PM, Peter Williams <ho...@ms...>  
> wrote:
>
>
> I merged with the head. My subtypes work fine, still.
>
> 1. you can eliminate DisoverSignTest. it is essentially now  
> equivalent to SignTest, since you now have it using the XRD type. I  
> will keep it private, where it exercises XRDDiscover subclass -  
> which signs the XRD itself, rather than signing a enveloped-saml- 
> assertion of the XRD.
>
>
> [Markus] done
>
>
>
>
> 2. in confirmed that I can verify a signature, from my localhost  
> responder.
>
> 3. if you use the admin console to store an SEP for an authority,  
> the db stores it with the original indentation. This is passed  
> through to the marshalled wireform "as-is", and is signed in its  
> original identation model. (This is a big error in the way the  
> standard was formulated for xmldsig, IMHO, which didnt specify  
> constrained marshalling rules for (cached and signed) XRDs that may  
> exist at different levels in an XRDS resultstream)
>
>
>
> [Markus] Still strange that in @blog*lockbox almost everything is  
> without indentation except for a ds:KeyInfo element. I know that  
> those ds:KeyInfo elements are treated specially by the Service  
> class; it probably has something to do with this.
>
> I wasn't even aware that there are so huge problems with xmldsig. I  
> thought that as a developer I can just "hand" my DOM to an xmldsig  
> library, which will take care of all the marshalling / normalizing /  
> etc stuff for me. Apparently not.
>
>
> 4. assuming the official AtAuthority is happy to pass on a saml- 
> based resolution request to the provider of @blog, I will now  
> attempt to resolve against the xri: @blog*lockbox using the very  
> same client resolver code as has just verified a signature from the  
> provider of (@blog*lockbox)*peter2.
>
>
>
> 6. is there an actual authority record for @, and does it's auth-res  
> SEP pointing at *blog have a keyinfo for the servercert.pem?
>
>
>
> [Markus] Hmm yes I guess if you ask @ for the XRD for *blog, then  
> the auth res SEP should contain the keyinfo with the servercert.pem  
> that is then used to sign the XRDs for @blog*...
>
> I just tried putting it in there, but unfortunately I hit a limit in  
> the central registry that doesn't allow SEPs larger than 2048  
> chars :) Currently I'm using the key / cert that I'm also using for  
> HTTPS (e.g. https://resolve.freexri.com/ns/@blog/*lockbox). Maybe I  
> should use a smaller, self-generated one instead.
>
> You can ask the authority resolution server of  @blog for a self- 
> describing XRDS (at http://resolve.freexri.com/ns/@blog/), and  
> you'll see the keyinfo there, but I guess that doesn't really help,  
> because self-describing XRDses are not used by the resolver logic...
>
>
>
> 7. OR, should I put the keyinfo in the AtAuthority root hint stored  
> locally in the resolver client?
>
>
> [Markus] The @ and = root authorities themselves don't support SAML  
> trusted resolution, so I think there's no point in putting keyinfos  
> into the resolver's built-in hints.
>
>
>
>
>
>
> Date: Tue, 11 Aug 2009 21:33:15 +0200
> Subject: I installed the latested OpenXRI on www.freexri.com
> From: mar...@xd...
> To: ho...@ms...
> CC: ope...@li...
>
> And I can get XRDs with SAML assertions, e.g. with this CURL command
>
> curl -H "Accept: application/xrds+xml;saml=true" http://resolve.freexri.com/ns/@blog/*lockbox
>
> Cool. For some reason it seems there is still some indentation in  
> the produced XRDSes.
>
> I'm also using the latest OpenXRI client library in these tools now:
> http://www.freexri.com/tools/XRIResolution/
> http://www.freexri.com/tools/XRIExplorer/
>
> Unfortunately, if I turn on saml=true and try to resolve  
> @blog*lockbox (or any other community i-name from freexri.com), I  
> get "Signature verification failed.". Maybe that has to do with the  
> above mentioned indentation.
>
> Markus
>
>
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openxri-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxri-users
>
>
>
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openxri-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxri-users
>
>
>
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openxri-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxri-users
>
>
>
>
> --- 
> --- 
> --- 
> ---------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Openxri-users mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxri-users
>
>
>
>

Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com

[Peter W. <ho...@ms...>]

I do have some standards issues.

 

If one gets an XRDS via an HXRI proxy, the value that is streamed is "that
which has been cid-validated" (by the proxy). Given the XRDS as sent is not
validated (and does not make that claim), the mere act of using a proxy
means that the bytes in the XRDS change (to represent verified=true). This
is because the XRD container itself is used to convey the results of
processing by an intermediary (rather than add a SOAP header, in the
ws-security model).

 

Thus the signed elements in the  XRDS stream returned by the proxy can never
be re-validated, in general by such as the openid consumer.

 

What one could do logically is exclude from signing those fields that one
expects the communication bearer and resolver to alter. But this will
require tuning the standard for the xmldsig ways of doing excluding.

 

From: Peter Williams [mailto:ho...@ms...] 
Sent: Monday, August 24, 2009 2:57 AM
To: mar...@xd...
Cc: ope...@li...
Subject: Re: [Openxri-users] I installed the latested OpenXRI on
www.freexri.com

 

Things sort of work. Its all kind of half baked. But, its better than it
was. its very sensitive.
 
So that we keep making progress, lets do this.
 
consider putting the default keypair in the webapp for the admin console.
consider Adding the commented out trustedServer config to the admin webapp
server.xml

Those 2 would mean that the "give me signed" dsecriptor will then work, by
default - in the server tab.
 
to keep going on the walled garden use of XRI theme (where my private server
acts as a Resource STS (with OAUTH guarding access to the proxy port that
does the mappings)) consider applying the proxy config patch attached. Feel
free to improve. Ill guss that it would also enhance the configurability of
the xri resolver interactive tool, too?
 
 
 
 
 
 
 

  _____  

Date: Sun, 23 Aug 2009 13:51:24 +0200
Subject: Re: [Openxri-users] I installed the latested OpenXRI on
www.freexri.com
From: mar...@xd...
To: ho...@ms...
CC: ope...@li...

Hello Peter, I updated freexri.com <http://freexri.com/>  again with your
latest patches, and I added the following to my code:

        this.resolver.addSAMLBypassAuthority("@");
        this.resolver.addSAMLBypassAuthority("=");
        this.resolver.addSAMLBypassAuthority("!");

Now, if I enter @blog*sigtest*sigtestchild in the XRI Resolution tool and
turn on "SAML Trusted Resolution", I get the XRD(S) without any error.

Does that mean it works? :D

Markus

On Mon, Aug 17, 2009 at 5:48 PM, Markus Sabadello <mar...@xd...>
wrote:

Yeah, I haven't yet updated the various freexri.com <http://freexri.com/>
tools with your latest patch. Okay, I will try to do that, and configure the
resolver to bypass SAML for @, = and !.

No I'm not using my HTTPS cert for signing @blog*... XRDs (I may have said
that at some point, if so I was wrong). My cert is self generated and looks
like this:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            a9:c9:f9:ca:34:55:a5:50
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=AT, ST=Vienna, L=Vienna, O=@freeXRI,
CN=@!7F6F.F50.A4E4.1133/emailAddress=of...@fr...
        Validity
            Not Before: Jul  9 12:51:58 2008 GMT
            Not After : Jul  9 12:51:58 2028 GMT
        Subject: C=AT, ST=Vienna, L=Vienna, O=@freeXRI,
CN=@!7F6F.F50.A4E4.1133/emailAddress=of...@fr...

Markus 

 

On Mon, Aug 17, 2009 at 5:32 PM, Peter Williams <ho...@ms...> wrote:


I  updated to the head.
 
my unit test works fine, but only when still overriding the (lack of)
signature in @blog. The AtAuthority server is not signing @blog (which makes
sense, given the DOS opportunity on that root server, when using only
software crypto).
 
not suprisingly, we are getting
 
Error: Signature verification failed.
Resolution did not complete successfully.


 


from the xri resolution tool on the website, when setting the saml request
flag in the webform.
 
can we apply the override config to that tool, for @, either in code by or
config?
 
              resolver.addSAMLBypassAuthority("@"); // ignore any type of
SAML error when processing the XRD for @

and maybe the same for equalsAuthority and BangAuthority?
 

 
its possible that the root hint store of AtAuthority etc also need a
keyinfo, for the case that the root server's DO sign.
 
obviously, its cert needs to that of the root servers signing key... not the
cert used by the freeid provider.
 
I didnt look at the contents of your freeid cert, but recall it may be the
same as the https cert on freeid server?
 
if so, beware of trust issues. The problem is that the CA probably projects
a relying party agreement - a license that is probably incompatible with
UCI. Ideally, the trust precepts of the saml signing would be independent of
the legacy commercial arrangements found in the SSL world. Root keys and
legal limits etc should depend on XRI (and i-brokers policies), not on CAs.
 

  _____  

Date: Mon, 17 Aug 2009 12:54:19 +0200 


Subject: Re: [Openxri-users] I installed the latested OpenXRI on
www.freexri.com <http://www.freexri.com/> 
From: mar...@xd...
To: ho...@ms...
CC: ope...@li...

Hi,

I changed the limit to 16384.

And while doing that, I discovered that it was also my own code that
prevented me from putting a ds:KeyInfo into the XRD of @blog. Sorry for
blaming the central registry on this.

See here: http://xri.net/@blog?_xrd_r=application/xrd+xml;sep=false;debug=1

I guess this means you should now be able to remove your specific override
of the TR validity model that you put in place?

Markus

On Mon, Aug 17, 2009 at 2:17 AM, Peter Williams <ho...@ms...> wrote:


 can we quadrulple the 2048 char limit now on the admin tool chain for
freexri?
 
I want to play now with synonyms, and services that are tied to the link
(SEP) vs the node (authority).
 

  _____  

Date: Fri, 14 Aug 2009 23:25:27 +0200 


Subject: Re: [Openxri-users] I installed the latested OpenXRI on
www.freexri.com <http://www.freexri.com/> 
From: mar...@xd...
To: ho...@ms...
CC: ope...@li...

As I said, I tried putting it into the @blog auth-res SEP, but it was too
large. Anyway, here it is:

-----BEGIN CERTIFICATE-----
MIIEejCCA2KgAwIBAgIJAKnJ+co0VaVQMA0GCSqGSIb3DQEBBQUAMIGEMQswCQYD
VQQGEwJBVDEPMA0GA1UECBMGVmllbm5hMQ8wDQYDVQQHEwZWaWVubmExETAPBgNV
BAoUCEBmcmVlWFJJMR0wGwYDVQQDFBRAITdGNkYuRjUwLkE0RTQuMTEzMzEhMB8G
CSqGSIb3DQEJARYSb2ZmaWNlQGZyZWV4cmkuY29tMB4XDTA4MDcwOTEyNTE1OFoX
DTI4MDcwOTEyNTE1OFowgYQxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZWaWVubmEx
DzANBgNVBAcTBlZpZW5uYTERMA8GA1UEChQIQGZyZWVYUkkxHTAbBgNVBAMUFEAh
N0Y2Ri5GNTAuQTRFNC4xMTMzMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAZnJlZXhy
aS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVS2u8ry9oTT2g
Dv04fEJLadNrmRDQlz/y57BowVzNBuMTAXcBrGBytiezvOIgcqkWKnDdz1b8w29O
QKAOF3OEUcgtlsb6p8RYBSH6+Qh5Z1VFEymwjF4X/msRfPyGMgv+sIksdsprkK74
KiDAkC+qnRbXPi+K8vIzpWFNKzY7CyvEV601gXCvbu6CR4vLWEnjm1rOZL95/kWO
ylbiy/B84bUi3chituS7F0DebfFLCr/6P73Q+KRHa6hW+rOl6ICbRn/Lg9Yq0/ZM
ScRpOHE/PXZ/wIrl4bDw6GaR3S/s3+4xs968dGgYlGiUw6ZetAOZmD7j2cHoo9Ar
XSxPViSLAgMBAAGjgewwgekwHQYDVR0OBBYEFMD4HaZ8ZptQgRKG8wL3B77CVJhT
MIG5BgNVHSMEgbEwga6AFMD4HaZ8ZptQgRKG8wL3B77CVJhToYGKpIGHMIGEMQsw
CQYDVQQGEwJBVDEPMA0GA1UECBMGVmllbm5hMQ8wDQYDVQQHEwZWaWVubmExETAP
BgNVBAoUCEBmcmVlWFJJMR0wGwYDVQQDFBRAITdGNkYuRjUwLkE0RTQuMTEzMzEh
MB8GCSqGSIb3DQEJARYSb2ZmaWNlQGZyZWV4cmkuY29tggkAqcn5yjRVpVAwDAYD
VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAUMEIjxWugVz47gCw/fwDAug7
nVnyyYoVwW3YlHwBODJvPmy2fuFHHSznKs8Z+1oqEPTq98NXGbGIrojBuywTDTHp
VPMZG4uwbRc4P3YlLWV78VU2agfC3w7VZe0wm77r+SWdIWsBwsbY1c9YT9oFgIQP
Zr3xfsszcR+8BqUOia4J4H8ld/5VRGTEA4hYLf0okNgQH3YjC+ewX4MxJbuCL/wp
IZVoq9YZ+ug8IvKldDpM1VkBy9Ozn6eJGZgdnOt1dvwbkvGEE/IgOjRSiWNKTxl7
DMMOPvDQoqkwlHHcoULacIxAHTD4EOQV8IQ4ucrA1SUHMMgYMERvgJqe7Ae4DQ==
-----END CERTIFICATE-----

Sorry, I said earlier it's the same as the one I'm using for HTTPS, but I
was wrong. It's a self-generated one.

Markus

On Fri, Aug 14, 2009 at 10:43 PM, Peter Williams <ho...@ms...> wrote:


 ive got a trial setup where I can now request and obtain a sig from
freexri.org <http://freexri.org/>  provider site.
 
the sig fails at the RSA step - meaning I dont have the right public key in
my root hint.
 
can you send me the cert for the signing key, as a base64?
 
Or just post it to the superior node (as a keyinfo in the @blog SEP of the
At Authority)
 
AtAuthority itself exhibits a saml media type, but doesnt sign its responses
(redirecting to the freexri.org <http://freexri.org/>  server). Udner the
rules, the client resolver flags this as a partialexception - signature
failed (since signing is mandatory, if requested).
 
More design flaws in the std - the XRI part this time.
 
The XRI standard can address the xmldsig part. Xmldsig does NOT mandate a
marshalling format. XRI should have done that. Xmldsig is for
document-signing as well as type-signing, and you have to marshall your
types into a non-whitespace format (before signing/verifying) - to get
interoperability.
 

  _____  

Date: Fri, 14 Aug 2009 22:31:08 +0200
Subject: Re: [Openxri-users] I installed the latested OpenXRI on
www.freexri.com <http://www.freexri.com/>  


From: mar...@xd...
To: ho...@ms...
CC: ope...@li...

see inline



On Fri, Aug 14, 2009 at 8:48 PM, Peter Williams <ho...@ms...> wrote:


I merged with the head. My subtypes work fine, still.
 
1. you can eliminate DisoverSignTest. it is essentially now equivalent to
SignTest, since you now have it using the XRD type. I will keep it private,
where it exercises XRDDiscover subclass - which signs the XRD itself, rather
than signing a enveloped-saml-assertion of the XRD.

 
[Markus] done 

 


2. in confirmed that I can verify a signature, from my localhost responder.
 
3. if you use the admin console to store an SEP for an authority, the db
stores it with the original indentation. This is passed through to the
marshalled wireform "as-is", and is signed in its original identation model.
(This is a big error in the way the standard was formulated for xmldsig,
IMHO, which didnt specify constrained marshalling rules for (cached and
signed) XRDs that may exist at different levels in an XRDS resultstream)
 


[Markus] Still strange that in @blog*lockbox almost everything is without
indentation except for a ds:KeyInfo element. I know that those ds:KeyInfo
elements are treated specially by the Service class; it probably has
something to do with this.

I wasn't even aware that there are so huge problems with xmldsig. I thought
that as a developer I can just "hand" my DOM to an xmldsig library, which
will take care of all the marshalling / normalizing / etc stuff for me.
Apparently not.


4. assuming the official AtAuthority is happy to pass on a saml-based
resolution request to the provider of @blog, I will now attempt to resolve
against the xri: @blog*lockbox using the very same client resolver code as
has just verified a signature from the provider of (@blog*lockbox)*peter2.
 


6. is there an actual authority record for @, and does it's auth-res SEP
pointing at *blog have a keyinfo for the servercert.pem?
 


[Markus] Hmm yes I guess if you ask @ for the XRD for *blog, then the auth
res SEP should contain the keyinfo with the servercert.pem that is then used
to sign the XRDs for @blog*...

I just tried putting it in there, but unfortunately I hit a limit in the
central registry that doesn't allow SEPs larger than 2048 chars :) Currently
I'm using the key / cert that I'm also using for HTTPS (e.g.
https://resolve.freexri.com/ns/@blog/*lockbox). Maybe I should use a
smaller, self-generated one instead.

You can ask the authority resolution server of  @blog for a self-describing
XRDS (at http://resolve.freexri.com/ns/@blog/), and you'll see the keyinfo
there, but I guess that doesn't really help, because self-describing XRDses
are not used by the resolver logic...
 


7. OR, should I put the keyinfo in the AtAuthority root hint stored locally
in the resolver client? 


[Markus] The @ and = root authorities themselves don't support SAML trusted
resolution, so I think there's no point in putting keyinfos into the
resolver's built-in hints.
 


 


  _____  



Date: Tue, 11 Aug 2009 21:33:15 +0200
Subject: I installed the latested OpenXRI on www.freexri.com
<http://www.freexri.com/> 
From: mar...@xd...
To: ho...@ms...
CC: ope...@li...

And I can get XRDs with SAML assertions, e.g. with this CURL command

curl -H "Accept: application/xrds+xml;saml=true"
http://resolve.freexri.com/ns/@blog/*lockbox

Cool. For some reason it seems there is still some indentation in the
produced XRDSes.

I'm also using the latest OpenXRI client library in these tools now:
http://www.freexri.com/tools/XRIResolution/
http://www.freexri.com/tools/XRIExplorer/

Unfortunately, if I turn on saml=true and try to resolve @blog*lockbox (or
any other community i-name from freexri.com <http://freexri.com/> ), I get
"Signature verification failed.". Maybe that has to do with the above
mentioned indentation.

Markus




----------------------------------------------------------------------------
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus
on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Openxri-users mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openxri-users

 


----------------------------------------------------------------------------
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus
on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Openxri-users mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openxri-users

 


----------------------------------------------------------------------------
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus
on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Openxri-users mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openxri-users

 


----------------------------------------------------------------------------
--
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus
on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Openxri-users mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openxri-users

 

 

Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com

[Peter W. <ho...@ms...>]

# This patch file was generated by NetBeans IDE
# Following Index: paths are relative to: C:\Users\Administrator\Documents\NetBeansProjects\trunk\openxri-server-logic\src\main\java\org\openxri
# This patch can be applied using context Tools: Patch action on respective folder.
# It uses platform neutral UTF-8 encoding and \n newlines.
# Above lines and this line are ignored by the patching process.
Index: config/impl/PropertiesProxyConfig.java
--- config/impl/PropertiesProxyConfig.java Base (BASE)
+++ config/impl/PropertiesProxyConfig.java Locally Modified (Based On LOCAL)
@@ -209,6 +209,24 @@
 		return authorities.split("\\s+");
 	}
 	
+        public String[] getCommunityAuthorities() {
+
+		String commauthorities = this.config.getProperty(ProxyConfig.COMMUNITY_AUTHORITIES, null);
+		if (commauthorities == null) {
+			return new String[0];
+		}
+		return commauthorities.split("\\s+");
+	}
+
+	public XRD getCommunityAuthority(String ca)
+	throws URISyntaxException, ParseException
+	{
+		String sDescriptor = this.config.getProperty(ca);
+
+		return XRD.parseXRD(sDescriptor, false);
+
+	}
+
 	public void setMaxBytesPerRequest(int maxBytesPerRequest) {
 
 		this.setProp(ProxyConfig.MAX_BYTES_PER_REQUEST, Integer.toString(maxBytesPerRequest));
Index: config/ProxyConfig.java
--- config/ProxyConfig.java Base (BASE)
+++ config/ProxyConfig.java Locally Modified (Based On LOCAL)
@@ -28,6 +28,7 @@
 	public static final String SAML_BYPASS_AUTHORITIES = "SamlBypassAuthorities";
 	public static final String BARE_XRI_NOTFOUND_REDIRECT = "BareXRINotFoundRedirect";
 	public static final String ROOT_REDIRECT = "RootRedirect";
+	public static final String COMMUNITY_AUTHORITIES = "CommunityAuthorities";
 
 	public static final String DEFAULT_MAX_FOLLOW_REDIRECTS = "10";
 	public static final String DEFAULT_MAX_FOLLOW_REFS = "10";
@@ -139,4 +140,7 @@
 
 	public void setRootRedirect(String rootRedirect);
 
+	public String[] getCommunityAuthorities();
+
+        public XRD getCommunityAuthority(String ca) throws URISyntaxException, ParseException;
 }
Index: proxy/impl/BasicProxy.java
--- proxy/impl/BasicProxy.java Base (BASE)
+++ proxy/impl/BasicProxy.java Locally Modified (Based On LOCAL)
@@ -89,9 +89,19 @@
 			this.resolver.setAuthority("=", this.config.getEqualsAuthority());
 			this.resolver.setAuthority("@", this.config.getAtAuthority());
 			this.resolver.setAuthority("!", this.config.getBangAuthority());
+
 		} catch (Exception ex) {
 			throw new ProxyException("Cannot initialize Resolver. Check the =, @ and ! root authorities.", ex);
 		}
+                try {
+                    String[] commAuthorities = this.config.getCommunityAuthorities();
+                    for (int i = 0; i < commAuthorities.length; i++) {
+                            XRI x = XRI.fromURINormalForm(commAuthorities[i]);
+                            this.resolver.setAuthority(commAuthorities[i], this.config.getCommunityAuthority(commAuthorities[i]));
+                    }
+		} catch (Exception ex) {
+			throw new ProxyException("Cannot initialize Resolver. Check the Community authorities.", ex);
+		}
 
 		String[] supports = this.config.getSupportedResMediaTypes();
 		if (supports != null) {

[Openxri-users] adding SEPs with OAuth

[Markus S. <mar...@xd...>]

Hello,

I revisited an old use case that has come up in the XRI TC a few times:
If you have an i-name, how can a third party i-service provider add a SEP to
your XRD in order to point to their service?

The scenario we talked about a few times was a "Busy Status" provider which
would indicate whether you are available/busy/etc.
This provider could display your status page at =yourname/(+busy), but how
does an appropriate SEP get installed in the user's XRD, without the user
having to add it manually at the i-broker?

No problem with OAuth, I said to myself, and so here are 2 demo "Busy
Status" providers for your i-name:

busystatus.com is a simple, easy-to-use provider that allows you to indicate
your Busy Status with a simple checkbox - either you are busy or not!

buzymazterz.com on the other hand is for those who love a rich feature set.
It allows you to choose between FOUR different Busy Statuses and even enter
a textual description for your personal Busy Status page!

So.. You can now choose between one of the above Busy Status providers. You
go to their site, sign in with your i-name, configure your Busy Status, and
then click on "Set up your i-name", which will try to configure your i-name
on your behalf via OAuth.

After that, people should be able to view your Busy Status via
=yourname/(+busy) or =web*yourname/(+busy) or whatever your i-name is. You
can even switch between the two providers if you're not happy with your
current one.

The only missing piece right now in this demo is how can those providers
(which are consumers in the OAuth terminology) discover the i-broker's OAuth
endpoints? Currently in the demo this is hardcoded, i.e. the above only
works with i-names from freexri.com or fullxri.com.

Here are my questions to anyone who reads this..

1. How does OAuth Discovery fit into this? I assume the way it should work
is that every i-name's XRD should have a SEP of type
http://oauth.net/discovery/1.0, which would point to another XRD that
contains all the OAuth Discovery stuff. Then any third party i-service could
be registered with any i-name.

2. Is this just useful in the XRI world, or would it also make sense for
non-XRI XRDs? This could be relevant to some very recent topics of the XRI
TC. Joseph mentioned a CRUD API for XRD. Would it make sense to expose this
whole API via OAuth? Would it be good practice for XRDs on the web with an
OpenID SEP (uh, excuse me, I mean link) to also have an OAuth link that
allows modifications to the XRD itself?

3. Currently the freexri.com and fullxri.com OAuth endpoints only support a
single operation: "Add SEP to XRD". The OAuth details are described here:
http://oauth.freexri.com. I know that there are some true OAuth experts on
this list :) If you have time, maybe you could review what I wrote on that
page, since this is the first time I do anything with OAuth.

In the XDI world, the same pattern could be used if a third party provider
wants to add XDI statements to a user's XDI context on their behalf.

Markus