You can subscribe to this list here.
2005 |
Jan
|
Feb
|
Mar
|
Apr
(65) |
May
(6) |
Jun
(2) |
Jul
(2) |
Aug
|
Sep
(12) |
Oct
(5) |
Nov
(1) |
Dec
|
---|---|---|---|---|---|---|---|---|---|---|---|---|
2006 |
Jan
(4) |
Feb
(2) |
Mar
(3) |
Apr
(12) |
May
(6) |
Jun
(10) |
Jul
(12) |
Aug
(1) |
Sep
(1) |
Oct
(2) |
Nov
|
Dec
|
2007 |
Jan
|
Feb
(2) |
Mar
|
Apr
(39) |
May
(58) |
Jun
(4) |
Jul
(2) |
Aug
(9) |
Sep
(18) |
Oct
(10) |
Nov
(7) |
Dec
(11) |
2008 |
Jan
(24) |
Feb
(11) |
Mar
(24) |
Apr
(2) |
May
|
Jun
(3) |
Jul
(8) |
Aug
(1) |
Sep
|
Oct
(4) |
Nov
(17) |
Dec
(1) |
2009 |
Jan
|
Feb
|
Mar
|
Apr
(9) |
May
(3) |
Jun
(34) |
Jul
(72) |
Aug
(51) |
Sep
(9) |
Oct
|
Nov
|
Dec
|
2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(1) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
2011 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
(2) |
Nov
|
Dec
|
2015 |
Jan
|
Feb
|
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: Markus S. <mar...@gm...> - 2015-03-25 15:40:57
|
Hello Sandor, There hasn't been any (significant) development on OpenXRI in years, mostly because its purpose and functionality have been superceded by XDI: https://www.oasis-open.org/committees/xdi/ There is still a working registry of XRI identifiers (nowadays called "cloud names"), and there is still a working resolution service that can be used with OpenXRI. And you can still use the OpenXRI server to manage your own XRI identifiers. So while we're not advancing OpenXRI anymore, it is a stable implementation of XRI Resolution 2.0 http://docs.oasis-open.org/xri/2.0/specs/xri-resolution-V2.0.html So you might be able to use it for your purposes just fine. Or you might want to look at XDI instead, and its implementation XDI2: http://xdi2.org/ Looking at your e-mail address, are you in Vienna? If so, we could meet up some time in mid-end April. hope this helps, Markus On Tue, Mar 24, 2015 at 4:49 PM, Sandor Kopacsi, PhD < san...@un...> wrote: > Dear list members, > I found OpenXRI project on the Web and I am interested in if it is still > alive, or is there anyone who is using the results. > I am taking part in the development of an archiving system, where we are > considering if XRI and OpenXRI would be suitable. > Looking forward to hearing from you soon. > Best Regards, > Sandor > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, > sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for > all > things parallel software development, from weekly thought leadership blogs > to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > Openxri-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openxri-users > |
From: Sandor K. P. <san...@un...> - 2015-03-24 09:49:23
|
Dear list members, I found OpenXRI project on the Web and I am interested in if it is still alive, or is there anyone who is using the results. I am taking part in the development of an archiving system, where we are considering if XRI and OpenXRI would be suitable. Looking forward to hearing from you soon. Best Regards, Sandor |
From: Markus S. <mar...@gm...> - 2012-10-20 10:02:44
|
OpenXRI and XDI2 users, I re-created the XRI 3.0 parser <http://openxri.org/syntax.html> using a recent version of aParse <http://www.parse2.com> (version 2.2). This replaces the five year old XRI 3.0 parser that had been created with aParse version 0.5. I do not know if the improvements of aParse have any effect on the XRI 3.0 parser, e.g. bug fixes or improved performace. But all the unit tests of both OpenXRI and XDI2 are passing just fine, so I assume it's a good thing to have an updated version. I also created a simple web interface to the parser: http://xdi2.projectdanube.org/XRIParser Markus On Thu, Oct 18, 2012 at 9:34 PM, Drummond Reed <dru...@co...> wrote: > Awesome info, Markus. Thanks - we may start getting a lot more questions > about this soon as folks start looking at using XDI2 commercially. > > =Drummond > > > On Thu, Oct 18, 2012 at 12:08 PM, Markus Sabadello < > mar...@gm...> wrote: > >> The tool I used in 2007 is called "aParse" (it even mentions XRI in the >> "Examples" section of its website): >> http://www.parse2.com/ >> >> Oh, apparently it's still being maintained! >> So maybe I should re-create the OpenXRI parser with a more recent version >> of aParse. >> >> Here's the home of the OpenXRI syntax library, which is used by both XDI2 >> and OX: >> http://openxri.org/syntax.html >> >> Here's the ABNF I used as input back then, together with a few notes: >> >> http://openxri.svn.sourceforge.net/viewvc/openxri/openxri4j/trunk/openxri-syntax/src/main/resources/xri-draft19.abnf?revision=496&view=markup >> >> A web-based deployment of the parser is here: >> http://freexri.com/tools/XRIInspector3/ >> >> Markus >> >> > |
From: Markus S. <mar...@gm...> - 2012-10-18 19:08:31
|
The tool I used in 2007 is called "aParse" (it even mentions XRI in the "Examples" section of its website): http://www.parse2.com/ Oh, apparently it's still being maintained! So maybe I should re-create the OpenXRI parser with a more recent version of aParse. Here's the home of the OpenXRI syntax library, which is used by both XDI2 and OX: http://openxri.org/syntax.html Here's the ABNF I used as input back then, together with a few notes: http://openxri.svn.sourceforge.net/viewvc/openxri/openxri4j/trunk/openxri-syntax/src/main/resources/xri-draft19.abnf?revision=496&view=markup A web-based deployment of the parser is here: http://freexri.com/tools/XRIInspector3/ Markus |
From: Peter W. <ho...@ms...> - 2012-09-09 18:44:30
|
http://www.volvoklub.cz/wp-content/plugins/mm-forms-community/upload/temp/google.html |
From: Markus S. <mar...@xd...> - 2011-10-15 20:02:09
|
Hello, FYI in OpenXRI there are now 2 "discovery mapping" services: - http://xri2xrd.net ... Maps XRI resolution to XRD and therefore makes it compatible with Webfinger and OStatus.. This has been used by Project Danube to achieve the SWAT0 interoperability with status.net and other Federated Social Web implementations. - http://xri2swd.net ... Maps XRI resolution to SWD and therefore makes it compatible with OpenID Connect Discovery. Actually this isn't quite true (yet), because for SWD you need TLS, and there's no certificate for this service (yet). Markus |
From: Markus S. <mar...@gm...> - 2010-07-29 04:05:29
|
Hello XRI TC, OpenXRI list, I set up an experimental service that maps the XRDS format currently used by XRI Resolution [1] to the XRD format [2]. E.g. try this: http://xri2xrd.net/=markus You will get: <XRD xmlns="http://docs.oasis-open.org/ns/xri/xrd-1.0"> <Subject>http://xri.net/=!91F2.8153.F600.AE24</Subject> <Alias>http://xri.net/=markus</Alias> <Link rel="http://openid.net/signon/1.0" href=" https://authn.fullxri.com/authentication/" /> <Link rel="http://specs.openid.net/auth/2.0/signon" href=" https://authn.fullxri.com/authentication/" /> <Link rel="xri://+i-service*(+contact)*($v*1.0)" href=" http://contact.fullxri.com/contact/" /> <Link rel="xri://+i-service*(+forwarding)*($v*1.0)" href=" http://forwarding.fullxri.com/forwarding/" /> <Link rel="xri://$res*auth*($v*2.0)" href=" http://resolve.fullxri.com/ns/=markus/" type="application/xrds+xml" /> <Link rel="xri://$res*auth*($v*2.0)" href=" https://resolve.fullxri.com/ns/=markus/" type="application/xrds+xml" /> <Link rel="xri://$xdi!($v!1)" href=" https://xdi.fullxri.com/=!91F2.8153.F600.AE24<https://xdi.fullxri.com/=%2191F2.8153.F600.AE24>" /> <Link rel="xri://$res*auth*($v*2.0)" href=" https://resolve.freexri.com/ns/=web/" type="application/xrds+xml" /> <Link rel="xri://$res*auth*($v*2.0)" href=" http://resolve.freexri.com/ns/=web/" type="application/xrds+xml" /> <Link rel="xri://+i-service*(+busy)*($v*1.0)" href=" http://www.busystatus.com/iservice/" /> <Link rel="magic-public-key" href="data:application/magic-public-key,RSA.iXT0Icgj-FwyP-Ji5z1ud7vWnWHKRwLXaVPuMlV5AcwjlhlF8qK9l55Ybni6WQxVpPXUqIJuMPVZbB-N0MKxl7cpKaMIshbn-mmXMYyONn_cT0PlfVwJgoiGjmndb1T3elIjvALBKgtt--QHUi8qhBEN3_TiD_mJa9-foZcnNE0=.AQAB" /> </XRD> The mapping is lossy, i.e. not all of the XRDS semantics are completely carried over to XRD. If you have thoughts/comments about the mapping, please let me know. A tool like this can be useful to make i-names compatible with discovery mechanisms such as LRDD and Webfinger. The code for the xri2xrd tool has been contributed to OpenXRI. Markus [1] http://www.oasis-open.org/committees/download.php/27432/xri-resolution-V2.0-cd-02-rv-04.pdf [2] http://docs.oasis-open.org/xri/xrd/v1.0/xrd-1.0.html |
From: Drummond R. <dru...@co...> - 2010-06-17 19:13:29
|
Markus, awesome. Thanks for pushing this out. =Drummond On Wed, Jun 16, 2010 at 1:48 PM, Markus Sabadello <mar...@xd...>wrote: > Hello, > > OpenXRI version 1.2.1 is now available. This maintenance release contains > the following improvements: > - Caching support in the resolver client by Wil. Caching can be configured > in various ways and works on a per-subsegment level. E.g. if you resolve > =web*markus and then =web*someone, then XRD for =web should already be > cached. Caching takes into account the relevant HTTP headers as well as the > XRD <Expires> element. > - Improved web admin interface for the server. It is now easier to set up > new "root namespaces" for the OpenXRI server as well as to find existing > authorities via the convenient "Quick Authority Lookup" box. Also there are > some bugfixes related to the authority graph diagrams. A live deployment of > this web admin interface is available at http://admin.testxri.com/. > - Some smaller bugfixes and improvements in the client and server. > > All the changes should be fully backwards compatible with the previous > version. > > You can download 1.2.1 from Sourceforge ( > http://sourceforge.net/projects/openxri/). It will take a few more days > for the new version to be available via Maven, then you can reference e.g. > the client like this in your project: > > <dependency> > <groupId>org.openxri</groupId> > <artifactId>openxri-client</artifactId> > <version>1.2.1</version> > </dependency> > > The main site with links to all the important places is here: > http://openxri.org/ > > Have fun > Markus > > |
From: Markus S. <mar...@xd...> - 2010-06-16 20:48:57
|
Hello, OpenXRI version 1.2.1 is now available. This maintenance release contains the following improvements: - Caching support in the resolver client by Wil. Caching can be configured in various ways and works on a per-subsegment level. E.g. if you resolve =web*markus and then =web*someone, then XRD for =web should already be cached. Caching takes into account the relevant HTTP headers as well as the XRD <Expires> element. - Improved web admin interface for the server. It is now easier to set up new "root namespaces" for the OpenXRI server as well as to find existing authorities via the convenient "Quick Authority Lookup" box. Also there are some bugfixes related to the authority graph diagrams. A live deployment of this web admin interface is available at http://admin.testxri.com/. - Some smaller bugfixes and improvements in the client and server. All the changes should be fully backwards compatible with the previous version. You can download 1.2.1 from Sourceforge ( http://sourceforge.net/projects/openxri/). It will take a few more days for the new version to be available via Maven, then you can reference e.g. the client like this in your project: <dependency> <groupId>org.openxri</groupId> <artifactId>openxri-client</artifactId> <version>1.2.1</version> </dependency> The main site with links to all the important places is here: http://openxri.org/ Have fun Markus |
From: Will N. <wi...@wi...> - 2009-09-21 20:09:14
|
For right now, I know I'm planning on including the following basic functionality in the OpenXRD library: - XML marshalling and unmarshalling (provided by the XMLTooling library, which was developed as part of OpenSAML) - Message signing and signature verification - Discovery of XRD documents. The default configuration will likely use the discovery methods defined by LRDD (HTML <link> element, HTTP response Link header, Host Meta). Other discovery methods (such as DNS) can be registered as well. - Selection of a linked resource based on a specified criteria - Processing of URITemplates using registered template dictionaries I haven't yet worked out how much of the trust logic should be in the library. I suspect that will depend on what XRD Trust profiles look like once we get them written. Very likely there will be implementations of the most common approaches provided, but in a way that others can be easily used. The fact that we're using XMLTooling for all of the XML handling may be enough of a deal breaker for OpenXRI, I don't know. Peter, what "Shibboleth ideas for security infrastructure management" is it that you are referring to that you don't want? Is this something in OpenSAML that you've run in to previously? Given that XRD is still a moving target (especially the processing rules that have been in flux the last week), I've actually halted development on the library until things settle down a bit so I can focus on some other things. You can see what has been implemented thus far at: http://svn.middleware.georgetown.edu/view/java-openxrd/trunk/ The unit tests will probably be the most useful for seeing how things are expected to be used. -will On Sep 20, 2009, at 9:48 AM, Peter Williams wrote: > That aligns largely with my thinking, except that I assume an better > XRD > interface should allow different runtime libraries to be plugged in. > Reference libraries serve standards communities, but not user > communities > (as they typically stifle application, as the committee struggles to > get > consensus on funamentals). > > > > Im simply treating the XRD 1.0 format as a marshalling issue. And, > of course > one can have different serializations of the XRD type. During > serialization > of types to a wire format (e.g. XML), various signing and encryption > scheme > are performed - applying the commonly undertood art from the world > of signed > ASN.1 types (that have long spit out XML, as well as DER, PER, etc) > > > > The question is, will that "reference" library come loaded with > Shibboleth/Internet2 conceptions of configuration, key management, > crypto, > etc. > > > > If so - and assuming its loaded full of all the usual Shibboleth > ideas for > security infrastructure management - I don't want it. > > > > I just want to marshall the current XRD type using the new bit > format. Does > it need to be any bigger any issue than that? > > > > From: mar...@gm... [mailto:mar...@gm...] > On > Behalf Of Markus Sabadello > Sent: Sunday, September 20, 2009 3:55 AM > To: Wil Tan > Cc: Peter Williams; ope...@li...; Will Norris > Subject: Re: [Openxri-users] FW: xrd 1.0 > > > > I know that Will Norris who is most active on the XRI TC is planning a > reference implementation of XRD 1.0. > > I don't know the current state of this, but I think it would be > straightforward that we at OpenXRI then use his library instead of > implementing XRD ourselves.. > > Markus > > On Sun, Sep 20, 2009 at 4:31 AM, Wil Tan <dr...@gm...> wrote: > > Streams, as in, a sequence of documents, or a sequence of nodes in a > document that is unending? > > > > It would be good to get the various parts of OpenXRI ready for XRD > 1.0 (if > they aren't already.) > > > > =wil > > On Sun, Sep 20, 2009 at 11:00 AM, Peter Williams <ho...@ms...> > wrote: > > I built myself a responder that can produce xrd 1.0 (draft) streams. > > > > How might we in this community include and explore such code? > > Do we want to? > > Do our sponsors want this public? > > > > How might we allow folks to explore this, either in source or binary > distiution? |
From: Peter W. <ho...@ms...> - 2009-09-21 19:17:51
|
So I'm in two minds about the opensaml tooling lib Upgrading the whole type system for xrd in openxri to that lib is the right thing to do. Higher assurance requires formal methods, and secure type systems - where access and export constraints are enforced in such as a tooling lib. Proofs from info flow theory are possible, once one has a decent type system in charge. What I didn't like about that particular lib was it's philosophy for security service integration - as values are handled at the protection boundary. It's all fine as research, but not for folks mired in legacy infrastructure. On Sep 21, 2009, at 11:25 AM, Will Norris <wi...@wi...> wrote: > For right now, I know I'm planning on including the following basic > functionality in the OpenXRD library: > - XML marshalling and unmarshalling (provided by the XMLTooling > library, which was developed as part of OpenSAML) > - Message signing and signature verification > - Discovery of XRD documents. The default configuration will > likely use the discovery methods defined by LRDD (HTML <link> > element, HTTP response Link header, Host Meta). Other discovery > methods (such as DNS) can be registered as well. > - Selection of a linked resource based on a specified criteria > - Processing of URITemplates using registered template dictionaries > > I haven't yet worked out how much of the trust logic should be in > the library. I suspect that will depend on what XRD Trust profiles > look like once we get them written. Very likely there will be > implementations of the most common approaches provided, but in a way > that others can be easily used. The fact that we're using > XMLTooling for all of the XML handling may be enough of a deal > breaker for OpenXRI, I don't know. > > Peter, what "Shibboleth ideas for security infrastructure > management" is it that you are referring to that you don't want? Is > this something in OpenSAML that you've run in to previously? > > > Given that XRD is still a moving target (especially the processing > rules that have been in flux the last week), I've actually halted > development on the library until things settle down a bit so I can > focus on some other things. You can see what has been implemented > thus far at: > > http://svn.middleware.georgetown.edu/view/java-openxrd/trunk/ > > The unit tests will probably be the most useful for seeing how > things are expected to be used. > > -will > > > On Sep 20, 2009, at 9:48 AM, Peter Williams wrote: > >> That aligns largely with my thinking, except that I assume an >> better XRD >> interface should allow different runtime libraries to be plugged in. >> Reference libraries serve standards communities, but not user >> communities >> (as they typically stifle application, as the committee struggles >> to get >> consensus on funamentals). >> >> >> >> Im simply treating the XRD 1.0 format as a marshalling issue. And, >> of course >> one can have different serializations of the XRD type. During >> serialization >> of types to a wire format (e.g. XML), various signing and >> encryption scheme >> are performed - applying the commonly undertood art from the world >> of signed >> ASN.1 types (that have long spit out XML, as well as DER, PER, etc) >> >> >> >> The question is, will that "reference" library come loaded with >> Shibboleth/Internet2 conceptions of configuration, key management, >> crypto, >> etc. >> >> >> >> If so - and assuming its loaded full of all the usual Shibboleth >> ideas for >> security infrastructure management - I don't want it. >> >> >> >> I just want to marshall the current XRD type using the new bit >> format. Does >> it need to be any bigger any issue than that? >> >> >> >> From: mar...@gm... >> [mailto:mar...@gm...] On >> Behalf Of Markus Sabadello >> Sent: Sunday, September 20, 2009 3:55 AM >> To: Wil Tan >> Cc: Peter Williams; ope...@li...; Will Norris >> Subject: Re: [Openxri-users] FW: xrd 1.0 >> >> >> >> I know that Will Norris who is most active on the XRI TC is >> planning a >> reference implementation of XRD 1.0. >> >> I don't know the current state of this, but I think it would be >> straightforward that we at OpenXRI then use his library instead of >> implementing XRD ourselves.. >> >> Markus >> >> On Sun, Sep 20, 2009 at 4:31 AM, Wil Tan <dr...@gm...> wrote: >> >> Streams, as in, a sequence of documents, or a sequence of nodes in a >> document that is unending? >> >> >> >> It would be good to get the various parts of OpenXRI ready for XRD >> 1.0 (if >> they aren't already.) >> >> >> >> =wil >> >> On Sun, Sep 20, 2009 at 11:00 AM, Peter Williams <ho...@ms...> >> wrote: >> >> I built myself a responder that can produce xrd 1.0 (draft) streams. >> >> >> >> How might we in this community include and explore such code? >> >> Do we want to? >> >> Do our sponsors want this public? >> >> >> >> How might we allow folks to explore this, either in source or binary >> distiution? > > |
From: Peter W. <ho...@ms...> - 2009-09-20 17:07:02
|
All I've done to date is the obvious (since Im an incompetent programmer). I subclassed the XRD type. I subclassed the AbstractServer, overriding its methods. The overridden methods let the data layer work with XRD classes, produce a value, which I marshall into XML and then unmarshall into my subclass. My subclass serializes according to my own formats. This be a XRD 1.0 format, of course. My assumption is that there will many different profiles of the XRD 1.0 format, and all of these should be supported as extensions are added by various communities. From: Wil Tan [mailto:dr...@gm...] Sent: Saturday, September 19, 2009 7:32 PM To: Peter Williams Cc: ope...@li... Subject: Re: [Openxri-users] FW: xrd 1.0 Streams, as in, a sequence of documents, or a sequence of nodes in a document that is unending? It would be good to get the various parts of OpenXRI ready for XRD 1.0 (if they aren't already.) =wil On Sun, Sep 20, 2009 at 11:00 AM, Peter Williams <ho...@ms...> wrote: I built myself a responder that can produce xrd 1.0 (draft) streams. How might we in this community include and explore such code? Do we want to? Do our sponsors want this public? How might we allow folks to explore this, either in source or binary distiution? ---------------------------------------------------------------------------- -- Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Openxri-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openxri-users |
From: Peter W. <ho...@ms...> - 2009-09-20 16:49:09
|
That aligns largely with my thinking, except that I assume an better XRD interface should allow different runtime libraries to be plugged in. Reference libraries serve standards communities, but not user communities (as they typically stifle application, as the committee struggles to get consensus on funamentals). Im simply treating the XRD 1.0 format as a marshalling issue. And, of course one can have different serializations of the XRD type. During serialization of types to a wire format (e.g. XML), various signing and encryption scheme are performed - applying the commonly undertood art from the world of signed ASN.1 types (that have long spit out XML, as well as DER, PER, etc) The question is, will that "reference" library come loaded with Shibboleth/Internet2 conceptions of configuration, key management, crypto, etc. If so - and assuming its loaded full of all the usual Shibboleth ideas for security infrastructure management - I don't want it. I just want to marshall the current XRD type using the new bit format. Does it need to be any bigger any issue than that? From: mar...@gm... [mailto:mar...@gm...] On Behalf Of Markus Sabadello Sent: Sunday, September 20, 2009 3:55 AM To: Wil Tan Cc: Peter Williams; ope...@li...; Will Norris Subject: Re: [Openxri-users] FW: xrd 1.0 I know that Will Norris who is most active on the XRI TC is planning a reference implementation of XRD 1.0. I don't know the current state of this, but I think it would be straightforward that we at OpenXRI then use his library instead of implementing XRD ourselves.. Markus On Sun, Sep 20, 2009 at 4:31 AM, Wil Tan <dr...@gm...> wrote: Streams, as in, a sequence of documents, or a sequence of nodes in a document that is unending? It would be good to get the various parts of OpenXRI ready for XRD 1.0 (if they aren't already.) =wil On Sun, Sep 20, 2009 at 11:00 AM, Peter Williams <ho...@ms...> wrote: I built myself a responder that can produce xrd 1.0 (draft) streams. How might we in this community include and explore such code? Do we want to? Do our sponsors want this public? How might we allow folks to explore this, either in source or binary distiution? ---------------------------------------------------------------------------- -- Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Openxri-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openxri-users ---------------------------------------------------------------------------- -- Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Openxri-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openxri-users |
From: Markus S. <mar...@xd...> - 2009-09-20 10:55:28
|
I know that Will Norris who is most active on the XRI TC is planning a reference implementation of XRD 1.0. I don't know the current state of this, but I think it would be straightforward that we at OpenXRI then use his library instead of implementing XRD ourselves.. Markus On Sun, Sep 20, 2009 at 4:31 AM, Wil Tan <dr...@gm...> wrote: > Streams, as in, a sequence of documents, or a sequence of nodes in a > document that is unending? > It would be good to get the various parts of OpenXRI ready for XRD 1.0 (if > they aren't already.) > > =wil > > On Sun, Sep 20, 2009 at 11:00 AM, Peter Williams <ho...@ms...> wrote: > >> I built myself a responder that can produce xrd 1.0 (draft) streams. >> >> >> >> How might we in this community include and explore such code? >> >> Do we want to? >> >> Do our sponsors want this public? >> >> >> >> How might we allow folks to explore this, either in source or binary >> distiution? >> >> >> ------------------------------------------------------------------------------ >> Come build with us! The BlackBerry® Developer Conference in SF, CA >> is the only developer event you need to attend this year. Jumpstart your >> developing skills, take BlackBerry mobile applications to market and stay >> ahead of the curve. Join us from November 9-12, 2009. Register >> now! >> http://p.sf.net/sfu/devconf >> _______________________________________________ >> Openxri-users mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openxri-users >> >> > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > Openxri-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openxri-users > > |
From: Wil T. <dr...@gm...> - 2009-09-20 02:32:02
|
Streams, as in, a sequence of documents, or a sequence of nodes in a document that is unending? It would be good to get the various parts of OpenXRI ready for XRD 1.0 (if they aren't already.) =wil On Sun, Sep 20, 2009 at 11:00 AM, Peter Williams <ho...@ms...> wrote: > I built myself a responder that can produce xrd 1.0 (draft) streams. > > > > How might we in this community include and explore such code? > > Do we want to? > > Do our sponsors want this public? > > > > How might we allow folks to explore this, either in source or binary > distiution? > > > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry® Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9-12, 2009. Register now! > http://p.sf.net/sfu/devconf > _______________________________________________ > Openxri-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openxri-users > > |
From: Peter W. <ho...@ms...> - 2009-09-20 01:01:28
|
I built myself a responder that can produce xrd 1.0 (draft) streams. How might we in this community include and explore such code? Do we want to? Do our sponsors want this public? How might we allow folks to explore this, either in source or binary distiution? |
From: Torsten S. <tsc...@gm...> - 2009-09-17 14:53:12
|
Drummond! Thanks for taking the time help me a bit in my endeavor to make sense of the identity jungle. I have been reading that entry on your blog carefully and followed some of the links. I had also seen the Higgins project before (asking myself what it has to do with Eclipse, but never mind) and can't help the feeling I may be missing something. Now I found that I think my problem is to properly distinguish between: a) abstract ideas or concepts b) concrete proposed or established standards for information representation and discovery c) standardized protocols which would enable any interaction between systems exchanging information represented in one of the standardized formats d) tangible implementations of b) and c) You know, I currently try to get some "normal" people interested in state of the art Internet identity subjects as the idea that you may now want to publish all your contact information to anyone all the time just gains attention amount the "normal public" these days as the majority of people only start now to understand the problem of spam, identity theft or reputation issues which may arise from too open sharing of all kinds of personal information on the web. I think many social networks provide some nice mechanisms how I can control who will have access to what data in my profile there. But this is all proprietary most of the time. So if I am in Flickr, Facebook and LinkedIn to name a few, I need to manage in each of them separately who is allowed to see and do what with my data and who isn't. I hope I assume right that the idea of all this Internet identity stuff, i.e. XRDS, XRI, OpenID, i-Card, r-Card and the like are targeted towards providing some kind of open standard here so typical social (and other) networking services could use this information which I edit once and which I might want to store on a system which *I* trust, not necessarily on any of *their* servers. Are we in sync up to here? If yes, what also caught my intention in your blog post was: http://cyber.law.harvard.edu/projectvrm/Personal_Address_Manager_Service I think this would be pretty much what I am would be looking to make happen using XRDS, XRI, possibly an OpenXRI server and some r-Cards. For example, I would want to be able not to give a company from which I buy a service (Internet, mobile phone, electricity) all my contact details but I would want to give them an r-Card which will allow them to contact me if needed *for the duaration of the contract*. I would want to be able to withdraw this r-Card if I decide not to buy there services any more and I would thus be save from voice, email or printed spam. I think this is the killer app people would be looking for, isn't it? Now I failed so far to properly understand how such a scenario would be implemented using an r-Card, for example. You talk in your blog about a demo which has been done once with physical attendance and where you have been using printed r-Cards and scissors. I can't imagine what you had been doing there. I guess it's not on YouTube, is it? Regards, Torsten Drummond Reed schrieb: > Torsten, > > My apologies - I was on vacation when you sent your message so I only just > reached it. > > There are connections between XRI and both OpenID and Information Cards. In > the case of OpenID, XRI is one of the types of identifiers recognized in > OpenID 2.0. In the case of Information Cards, XRIs are used for a new type > of Information Card called a "relationship card". It's basically an > Information Card that includes a special claim that opens up an ongoing data > sharing channel between the two parties. See my blog post at: > > www.equalsdrummond.name/?p=135 > > The other relationship is that, in part due to my being on of the founding > directors of the Information Card Foundation (ICF), I was asked to become > Executive Director last March and accepted. So in addition to serving as > co-chair of the OASIS XRI and XDI Technical Committees, I also serve as > Executive Director of the ICF. > > I think even more cross-connections -- between OpenID, Information Cards, > SAML, and XRI/XDI -- are coming in the next year, so it will be fun to see > how it all comes together. > > Hope this helps, > > =Drummond > http://xri.net/=drummond.reed > >> -----Original Message----- >> From: Torsten Schlabach [mailto:tsc...@gm...] >> Sent: Wednesday, August 12, 2009 4:15 AM >> To: ope...@li... >> Subject: [Openxri-users] Information Card versus XRI? >> >> Hi! >> >> Can anyone tell me how XRI and http://informationcard.net/ relate? Does >> Information Card build upon XRI? >> >> I noticed that a Drummond Read seems to be involved in both. >> >> Regards, >> Torsten >> >> -------------------------------------------------------------------------- >> ---- >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30- >> Day >> trial. Simplify your report design, integration and deployment - and focus >> on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> _______________________________________________ >> Openxri-users mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/openxri-users |
From: Drummond R. <dru...@co...> - 2009-09-01 03:52:13
|
Torsten, My apologies - I was on vacation when you sent your message so I only just reached it. There are connections between XRI and both OpenID and Information Cards. In the case of OpenID, XRI is one of the types of identifiers recognized in OpenID 2.0. In the case of Information Cards, XRIs are used for a new type of Information Card called a "relationship card". It's basically an Information Card that includes a special claim that opens up an ongoing data sharing channel between the two parties. See my blog post at: www.equalsdrummond.name/?p=135 The other relationship is that, in part due to my being on of the founding directors of the Information Card Foundation (ICF), I was asked to become Executive Director last March and accepted. So in addition to serving as co-chair of the OASIS XRI and XDI Technical Committees, I also serve as Executive Director of the ICF. I think even more cross-connections -- between OpenID, Information Cards, SAML, and XRI/XDI -- are coming in the next year, so it will be fun to see how it all comes together. Hope this helps, =Drummond http://xri.net/=drummond.reed > -----Original Message----- > From: Torsten Schlabach [mailto:tsc...@gm...] > Sent: Wednesday, August 12, 2009 4:15 AM > To: ope...@li... > Subject: [Openxri-users] Information Card versus XRI? > > Hi! > > Can anyone tell me how XRI and http://informationcard.net/ relate? Does > Information Card build upon XRI? > > I noticed that a Drummond Read seems to be involved in both. > > Regards, > Torsten > > -------------------------------------------------------------------------- > ---- > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30- > Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openxri-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openxri-users |
From: Peter W. <ho...@ms...> - 2009-08-25 19:43:26
|
and if ai put a keyinfo in that, I'm basically telling the openid consumer how to validate the signed XRDs. Since a consumer is already responsible for some of synonym validation, I working on code that ensure the proxy does not change the server's originally-marshalled XRD types. If the openid consumer is using the resolver API and the proxy provider, Im hoping it will follow SEP-level redirects. Thus, given the id of the consumer, different redirects will land on different target SEPs for the proxy SEP, each with keyinfo suited to that requestor. Now, I have to change the proxy code so that resigns the (verified) XRDs it receives from auth-res. At that point, I essentially have a STS - where proxy protocol plays the fole of ws-trust. And, I have as many STS instances as there are proxy declarations (and redirects). I hope im using the architecture the way its SUPPOSEd to be being applied, now. Date: Tue, 25 Aug 2009 19:18:42 +0200 Subject: Re: [Openxri-users] proxy descriptor From: mar...@xd... To: ho...@ms... CC: ope...@li... A proxy SEP looks like this: <?xml version="1.0" encoding="UTF-8"?> <Service xmlns="xri://$xrd*($v*2.0)"> <ProviderID>__myproviderid__</ProviderID> <Type select="true">xri://$res*proxy*($v*2.0)</Type> <MediaType select="false">application/xrds+xml</MediaType> <MediaType select="false">application/xrd+xml</MediaType> <MediaType select="false">text/uri-list</MediaType> <URI append="none" priority="2">http://__myproxyserver__</URI> <URI append="none" priority="1">https://__mysecureproxyserver__</URI> </Service> See section 11.1 of http://www.oasis-open.org/committees/download.php/27432/xri-resolution-V2.0-cd-02-rv-04.pdf The freexri.com UI has a few templates for common SEPs, including proxy SEPs. I just added proxy SEPs to @freexri and @fullxri. Not sure why I haven't thought of this before. Markus On Tue, Aug 25, 2009 at 6:54 PM, Peter Williams <ho...@ms...> wrote: how do I publish the availability of a proxy service? (we obviously all know how to publish the authres service.) ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Openxri-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openxri-users |
From: Markus S. <mar...@xd...> - 2009-08-25 17:18:54
|
A proxy SEP looks like this: <?xml version="1.0" encoding="UTF-8"?> <Service xmlns="xri://$xrd*($v*2.0)"> <ProviderID>__myproviderid__</ProviderID> <Type select="true">xri://$res*proxy*($v*2.0)</Type> <MediaType select="false">application/xrds+xml</MediaType> <MediaType select="false">application/xrd+xml</MediaType> <MediaType select="false">text/uri-list</MediaType> <URI append="none" priority="2">http://__myproxyserver__</URI> <URI append="none" priority="1">https://__mysecureproxyserver__</URI> </Service> See section 11.1 of http://www.oasis-open.org/committees/download.php/27432/xri-resolution-V2.0-cd-02-rv-04.pdf The freexri.com UI has a few templates for common SEPs, including proxy SEPs. I just added proxy SEPs to @freexri and @fullxri. Not sure why I haven't thought of this before. Markus On Tue, Aug 25, 2009 at 6:54 PM, Peter Williams <ho...@ms...> wrote: > how do I publish the availability of a proxy service? > > (we obviously all know how to publish the authres service.) > > > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus > on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openxri-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openxri-users > > |
From: Peter W. <ho...@ms...> - 2009-08-25 16:54:22
|
how do I publish the availability of a proxy service? (we obviously all know how to publish the authres service.) |
From: Peter W. <ho...@ms...> - 2009-08-24 17:37:36
|
So here is what I don't know (analyzing maturity like a vc): Is the baseline even complete, without saml, for the security enforcement model, for synonym verification Is the caching model for signed xrd at resolver finished If the CID is an https uri, does the spec prevail Do the refs between I'd authorities hold for signed xrd in practice, enforcing delegation (for authority migration) properly Etc etc I'm wanting now to eval the whole story for supporting advanced trust networking, which is incredibly rich of course. It's almost too rich...and too far advanced for the market. I wish the open src code exposed the openid I-service, so one could run multi-tenant ops on http mount points.you'd have a business winner, there. On Aug 24, 2009, at 8:08 AM, "Peter Williams" <ho...@ms...> wrote: > I do have some standards issues. > > > > If one gets an XRDS via an HXRI proxy, the value that is streamed is > “that which has been cid-validated” (by the proxy). Given the > XRDS as sent is not validated (and does not make that claim), the me > re act of using a proxy means that the bytes in the XRDS change (to > represent verified=true). This is because the XRD container itself i > s used to convey the results of processing by an intermediary (rathe > r than add a SOAP header, in the ws-security model). > > > > Thus the signed elements in the XRDS stream returned by the proxy > can never be re-validated, in general by such as the openid consumer. > > > > What one could do logically is exclude from signing those fields > that one expects the communication bearer and resolver to alter. But > this will require tuning the standard for the xmldsig ways of doing > excluding. > > > > From: Peter Williams [mailto:ho...@ms...] > Sent: Monday, August 24, 2009 2:57 AM > To: mar...@xd... > Cc: ope...@li... > Subject: Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com > > > > Things sort of work. Its all kind of half baked. But, its better > than it was. its very sensitive. > > So that we keep making progress, lets do this. > > consider putting the default keypair in the webapp for the admin > console. > consider Adding the commented out trustedServer config to the admin > webapp server.xml > > Those 2 would mean that the "give me signed" dsecriptor will then > work, by default - in the server tab. > > to keep going on the walled garden use of XRI theme (where my > private server acts as a Resource STS (with OAUTH guarding access to > the proxy port that does the mappings)) consider applying the proxy > config patch attached. Feel free to improve. Ill guss that it would > also enhance the configurability of the xri resolver interactive > tool, too? > > > > > > > > > Date: Sun, 23 Aug 2009 13:51:24 +0200 > Subject: Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com > From: mar...@xd... > To: ho...@ms... > CC: ope...@li... > > Hello Peter, I updated freexri.com again with your latest patches, > and I added the following to my code: > > this.resolver.addSAMLBypassAuthority("@"); > this.resolver.addSAMLBypassAuthority("="); > this.resolver.addSAMLBypassAuthority("!"); > > Now, if I enter @blog*sigtest*sigtestchild in the XRI Resolution > tool and turn on "SAML Trusted Resolution", I get the XRD(S) without > any error. > > Does that mean it works? :D > > Markus > > On Mon, Aug 17, 2009 at 5:48 PM, Markus Sabadello <mar...@xd... > > wrote: > > Yeah, I haven't yet updated the various freexri.com tools with your > latest patch. Okay, I will try to do that, and configure the > resolver to bypass SAML for @, = and !. > > No I'm not using my HTTPS cert for signing @blog*... XRDs (I may > have said that at some point, if so I was wrong). My cert is self > generated and looks like this: > Certificate: > Data: > Version: 3 (0x2) > Serial Number: > a9:c9:f9:ca:34:55:a5:50 > Signature Algorithm: sha1WithRSAEncryption > Issuer: C=AT, ST=Vienna, L=Vienna, O=@freeXRI, CN=@! > 7F6F.F50.A4E4.1133/emailAddress=of...@fr... > Validity > Not Before: Jul 9 12:51:58 2008 GMT > Not After : Jul 9 12:51:58 2028 GMT > Subject: C=AT, ST=Vienna, L=Vienna, O=@freeXRI, CN=@! > 7F6F.F50.A4E4.1133/emailAddress=of...@fr... > > Markus > > > > On Mon, Aug 17, 2009 at 5:32 PM, Peter Williams <ho...@ms...> > wrote: > > > I updated to the head. > > my unit test works fine, but only when still overriding the (lack > of) signature in @blog. The AtAuthority server is not signing @blog > (which makes sense, given the DOS opportunity on that root server, > when using only software crypto). > > not suprisingly, we are getting > > Error: Signature verification failed. > Resolution did not complete successfully. > > > > from the xri resolution tool on the website, when setting the saml > request flag in the webform. > > can we apply the override config to that tool, for @, either in code > by or config? > > resolver.addSAMLBypassAuthority("@"); // ignore any > type of SAML error when processing the XRD for @ > > and maybe the same for equalsAuthority and BangAuthority? > > > > its possible that the root hint store of AtAuthority etc also need a > keyinfo, for the case that the root server's DO sign. > > obviously, its cert needs to that of the root servers signing key... > not the cert used by the freeid provider. > > I didnt look at the contents of your freeid cert, but recall it may > be the same as the https cert on freeid server? > > if so, beware of trust issues. The problem is that the CA probably > projects a relying party agreement - a license that is probably > incompatible with UCI. Ideally, the trust precepts of the saml > signing would be independent of the legacy commercial arrangements > found in the SSL world. Root keys and legal limits etc should depend > on XRI (and i-brokers policies), not on CAs. > > > Date: Mon, 17 Aug 2009 12:54:19 +0200 > > > Subject: Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com > From: mar...@xd... > To: ho...@ms... > CC: ope...@li... > > Hi, > > I changed the limit to 16384. > > And while doing that, I discovered that it was also my own code that > prevented me from putting a ds:KeyInfo into the XRD of @blog. Sorry > for blaming the central registry on this. > > See here: http://xri.net/@blog?_xrd_r=application/xrd+xml;sep=false;debug=1 > > I guess this means you should now be able to remove your specific > override of the TR validity model that you put in place? > > Markus > > On Mon, Aug 17, 2009 at 2:17 AM, Peter Williams <ho...@ms...> > wrote: > > > can we quadrulple the 2048 char limit now on the admin tool chain > for freexri? > > I want to play now with synonyms, and services that are tied to the > link (SEP) vs the node (authority). > > > Date: Fri, 14 Aug 2009 23:25:27 +0200 > > > Subject: Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com > From: mar...@xd... > To: ho...@ms... > CC: ope...@li... > > As I said, I tried putting it into the @blog auth-res SEP, but it > was too large. Anyway, here it is: > > -----BEGIN CERTIFICATE----- > MIIEejCCA2KgAwIBAgIJAKnJ+co0VaVQMA0GCSqGSIb3DQEBBQUAMIGEMQswCQYD > VQQGEwJBVDEPMA0GA1UECBMGVmllbm5hMQ8wDQYDVQQHEwZWaWVubmExETAPBgNV > BAoUCEBmcmVlWFJJMR0wGwYDVQQDFBRAITdGNkYuRjUwLkE0RTQuMTEzMzEhMB8G > CSqGSIb3DQEJARYSb2ZmaWNlQGZyZWV4cmkuY29tMB4XDTA4MDcwOTEyNTE1OFoX > DTI4MDcwOTEyNTE1OFowgYQxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZWaWVubmEx > DzANBgNVBAcTBlZpZW5uYTERMA8GA1UEChQIQGZyZWVYUkkxHTAbBgNVBAMUFEAh > N0Y2Ri5GNTAuQTRFNC4xMTMzMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAZnJlZXhy > aS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVS2u8ry9oTT2g > Dv04fEJLadNrmRDQlz/y57BowVzNBuMTAXcBrGBytiezvOIgcqkWKnDdz1b8w29O > QKAOF3OEUcgtlsb6p8RYBSH6+Qh5Z1VFEymwjF4X/msRfPyGMgv+sIksdsprkK74 > KiDAkC+qnRbXPi+K8vIzpWFNKzY7CyvEV601gXCvbu6CR4vLWEnjm1rOZL95/kWO > ylbiy/B84bUi3chituS7F0DebfFLCr/6P73Q+KRHa6hW+rOl6ICbRn/Lg9Yq0/ZM > ScRpOHE/PXZ/wIrl4bDw6GaR3S/s3+4xs968dGgYlGiUw6ZetAOZmD7j2cHoo9Ar > XSxPViSLAgMBAAGjgewwgekwHQYDVR0OBBYEFMD4HaZ8ZptQgRKG8wL3B77CVJhT > MIG5BgNVHSMEgbEwga6AFMD4HaZ8ZptQgRKG8wL3B77CVJhToYGKpIGHMIGEMQsw > CQYDVQQGEwJBVDEPMA0GA1UECBMGVmllbm5hMQ8wDQYDVQQHEwZWaWVubmExETAP > BgNVBAoUCEBmcmVlWFJJMR0wGwYDVQQDFBRAITdGNkYuRjUwLkE0RTQuMTEzMzEh > MB8GCSqGSIb3DQEJARYSb2ZmaWNlQGZyZWV4cmkuY29tggkAqcn5yjRVpVAwDAYD > VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAUMEIjxWugVz47gCw/fwDAug7 > nVnyyYoVwW3YlHwBODJvPmy2fuFHHSznKs8Z+1oqEPTq98NXGbGIrojBuywTDTHp > VPMZG4uwbRc4P3YlLWV78VU2agfC3w7VZe0wm77r+SWdIWsBwsbY1c9YT9oFgIQP > Zr3xfsszcR+8BqUOia4J4H8ld/5VRGTEA4hYLf0okNgQH3YjC+ewX4MxJbuCL/wp > IZVoq9YZ+ug8IvKldDpM1VkBy9Ozn6eJGZgdnOt1dvwbkvGEE/IgOjRSiWNKTxl7 > DMMOPvDQoqkwlHHcoULacIxAHTD4EOQV8IQ4ucrA1SUHMMgYMERvgJqe7Ae4DQ== > -----END CERTIFICATE----- > > Sorry, I said earlier it's the same as the one I'm using for HTTPS, > but I was wrong. It's a self-generated one. > > Markus > > On Fri, Aug 14, 2009 at 10:43 PM, Peter Williams <ho...@ms...> > wrote: > > > ive got a trial setup where I can now request and obtain a sig from freexri.org > provider site. > > the sig fails at the RSA step - meaning I dont have the right public > key in my root hint. > > can you send me the cert for the signing key, as a base64? > > Or just post it to the superior node (as a keyinfo in the @blog SEP > of the At Authority) > > AtAuthority itself exhibits a saml media type, but doesnt sign its > responses (redirecting to the freexri.org server). Udner the rules, > the client resolver flags this as a partialexception - signature > failed (since signing is mandatory, if requested). > > More design flaws in the std - the XRI part this time. > > The XRI standard can address the xmldsig part. Xmldsig does NOT > mandate a marshalling format. XRI should have done that. Xmldsig is > for document-signing as well as type-signing, and you have to > marshall your types into a non-whitespace format (before signing/ > verifying) - to get interoperability. > > > Date: Fri, 14 Aug 2009 22:31:08 +0200 > Subject: Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com > > > From: mar...@xd... > To: ho...@ms... > CC: ope...@li... > > see inline > > > On Fri, Aug 14, 2009 at 8:48 PM, Peter Williams <ho...@ms...> > wrote: > > > I merged with the head. My subtypes work fine, still. > > 1. you can eliminate DisoverSignTest. it is essentially now > equivalent to SignTest, since you now have it using the XRD type. I > will keep it private, where it exercises XRDDiscover subclass - > which signs the XRD itself, rather than signing a enveloped-saml- > assertion of the XRD. > > > [Markus] done > > > > > 2. in confirmed that I can verify a signature, from my localhost > responder. > > 3. if you use the admin console to store an SEP for an authority, > the db stores it with the original indentation. This is passed > through to the marshalled wireform "as-is", and is signed in its > original identation model. (This is a big error in the way the > standard was formulated for xmldsig, IMHO, which didnt specify > constrained marshalling rules for (cached and signed) XRDs that may > exist at different levels in an XRDS resultstream) > > > > [Markus] Still strange that in @blog*lockbox almost everything is > without indentation except for a ds:KeyInfo element. I know that > those ds:KeyInfo elements are treated specially by the Service > class; it probably has something to do with this. > > I wasn't even aware that there are so huge problems with xmldsig. I > thought that as a developer I can just "hand" my DOM to an xmldsig > library, which will take care of all the marshalling / normalizing / > etc stuff for me. Apparently not. > > > 4. assuming the official AtAuthority is happy to pass on a saml- > based resolution request to the provider of @blog, I will now > attempt to resolve against the xri: @blog*lockbox using the very > same client resolver code as has just verified a signature from the > provider of (@blog*lockbox)*peter2. > > > > 6. is there an actual authority record for @, and does it's auth-res > SEP pointing at *blog have a keyinfo for the servercert.pem? > > > > [Markus] Hmm yes I guess if you ask @ for the XRD for *blog, then > the auth res SEP should contain the keyinfo with the servercert.pem > that is then used to sign the XRDs for @blog*... > > I just tried putting it in there, but unfortunately I hit a limit in > the central registry that doesn't allow SEPs larger than 2048 > chars :) Currently I'm using the key / cert that I'm also using for > HTTPS (e.g. https://resolve.freexri.com/ns/@blog/*lockbox). Maybe I > should use a smaller, self-generated one instead. > > You can ask the authority resolution server of @blog for a self- > describing XRDS (at http://resolve.freexri.com/ns/@blog/), and > you'll see the keyinfo there, but I guess that doesn't really help, > because self-describing XRDses are not used by the resolver logic... > > > > 7. OR, should I put the keyinfo in the AtAuthority root hint stored > locally in the resolver client? > > > [Markus] The @ and = root authorities themselves don't support SAML > trusted resolution, so I think there's no point in putting keyinfos > into the resolver's built-in hints. > > > > > > > Date: Tue, 11 Aug 2009 21:33:15 +0200 > Subject: I installed the latested OpenXRI on www.freexri.com > From: mar...@xd... > To: ho...@ms... > CC: ope...@li... > > And I can get XRDs with SAML assertions, e.g. with this CURL command > > curl -H "Accept: application/xrds+xml;saml=true" http://resolve.freexri.com/ns/@blog/*lockbox > > Cool. For some reason it seems there is still some indentation in > the produced XRDSes. > > I'm also using the latest OpenXRI client library in these tools now: > http://www.freexri.com/tools/XRIResolution/ > http://www.freexri.com/tools/XRIExplorer/ > > Unfortunately, if I turn on saml=true and try to resolve > @blog*lockbox (or any other community i-name from freexri.com), I > get "Signature verification failed.". Maybe that has to do with the > above mentioned indentation. > > Markus > > > > --- > --- > --- > --------------------------------------------------------------------- > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and > focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openxri-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openxri-users > > > > > --- > --- > --- > --------------------------------------------------------------------- > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and > focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openxri-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openxri-users > > > > > --- > --- > --- > --------------------------------------------------------------------- > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and > focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openxri-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openxri-users > > > > > --- > --- > --- > --------------------------------------------------------------------- > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 > 30-Day > trial. Simplify your report design, integration and deployment - and > focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Openxri-users mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/openxri-users > > > > |
From: Peter W. <ho...@ms...> - 2009-08-24 15:09:21
|
I do have some standards issues. If one gets an XRDS via an HXRI proxy, the value that is streamed is "that which has been cid-validated" (by the proxy). Given the XRDS as sent is not validated (and does not make that claim), the mere act of using a proxy means that the bytes in the XRDS change (to represent verified=true). This is because the XRD container itself is used to convey the results of processing by an intermediary (rather than add a SOAP header, in the ws-security model). Thus the signed elements in the XRDS stream returned by the proxy can never be re-validated, in general by such as the openid consumer. What one could do logically is exclude from signing those fields that one expects the communication bearer and resolver to alter. But this will require tuning the standard for the xmldsig ways of doing excluding. From: Peter Williams [mailto:ho...@ms...] Sent: Monday, August 24, 2009 2:57 AM To: mar...@xd... Cc: ope...@li... Subject: Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com Things sort of work. Its all kind of half baked. But, its better than it was. its very sensitive. So that we keep making progress, lets do this. consider putting the default keypair in the webapp for the admin console. consider Adding the commented out trustedServer config to the admin webapp server.xml Those 2 would mean that the "give me signed" dsecriptor will then work, by default - in the server tab. to keep going on the walled garden use of XRI theme (where my private server acts as a Resource STS (with OAUTH guarding access to the proxy port that does the mappings)) consider applying the proxy config patch attached. Feel free to improve. Ill guss that it would also enhance the configurability of the xri resolver interactive tool, too? _____ Date: Sun, 23 Aug 2009 13:51:24 +0200 Subject: Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com From: mar...@xd... To: ho...@ms... CC: ope...@li... Hello Peter, I updated freexri.com <http://freexri.com/> again with your latest patches, and I added the following to my code: this.resolver.addSAMLBypassAuthority("@"); this.resolver.addSAMLBypassAuthority("="); this.resolver.addSAMLBypassAuthority("!"); Now, if I enter @blog*sigtest*sigtestchild in the XRI Resolution tool and turn on "SAML Trusted Resolution", I get the XRD(S) without any error. Does that mean it works? :D Markus On Mon, Aug 17, 2009 at 5:48 PM, Markus Sabadello <mar...@xd...> wrote: Yeah, I haven't yet updated the various freexri.com <http://freexri.com/> tools with your latest patch. Okay, I will try to do that, and configure the resolver to bypass SAML for @, = and !. No I'm not using my HTTPS cert for signing @blog*... XRDs (I may have said that at some point, if so I was wrong). My cert is self generated and looks like this: Certificate: Data: Version: 3 (0x2) Serial Number: a9:c9:f9:ca:34:55:a5:50 Signature Algorithm: sha1WithRSAEncryption Issuer: C=AT, ST=Vienna, L=Vienna, O=@freeXRI, CN=@!7F6F.F50.A4E4.1133/emailAddress=of...@fr... Validity Not Before: Jul 9 12:51:58 2008 GMT Not After : Jul 9 12:51:58 2028 GMT Subject: C=AT, ST=Vienna, L=Vienna, O=@freeXRI, CN=@!7F6F.F50.A4E4.1133/emailAddress=of...@fr... Markus On Mon, Aug 17, 2009 at 5:32 PM, Peter Williams <ho...@ms...> wrote: I updated to the head. my unit test works fine, but only when still overriding the (lack of) signature in @blog. The AtAuthority server is not signing @blog (which makes sense, given the DOS opportunity on that root server, when using only software crypto). not suprisingly, we are getting Error: Signature verification failed. Resolution did not complete successfully. from the xri resolution tool on the website, when setting the saml request flag in the webform. can we apply the override config to that tool, for @, either in code by or config? resolver.addSAMLBypassAuthority("@"); // ignore any type of SAML error when processing the XRD for @ and maybe the same for equalsAuthority and BangAuthority? its possible that the root hint store of AtAuthority etc also need a keyinfo, for the case that the root server's DO sign. obviously, its cert needs to that of the root servers signing key... not the cert used by the freeid provider. I didnt look at the contents of your freeid cert, but recall it may be the same as the https cert on freeid server? if so, beware of trust issues. The problem is that the CA probably projects a relying party agreement - a license that is probably incompatible with UCI. Ideally, the trust precepts of the saml signing would be independent of the legacy commercial arrangements found in the SSL world. Root keys and legal limits etc should depend on XRI (and i-brokers policies), not on CAs. _____ Date: Mon, 17 Aug 2009 12:54:19 +0200 Subject: Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com <http://www.freexri.com/> From: mar...@xd... To: ho...@ms... CC: ope...@li... Hi, I changed the limit to 16384. And while doing that, I discovered that it was also my own code that prevented me from putting a ds:KeyInfo into the XRD of @blog. Sorry for blaming the central registry on this. See here: http://xri.net/@blog?_xrd_r=application/xrd+xml;sep=false;debug=1 I guess this means you should now be able to remove your specific override of the TR validity model that you put in place? Markus On Mon, Aug 17, 2009 at 2:17 AM, Peter Williams <ho...@ms...> wrote: can we quadrulple the 2048 char limit now on the admin tool chain for freexri? I want to play now with synonyms, and services that are tied to the link (SEP) vs the node (authority). _____ Date: Fri, 14 Aug 2009 23:25:27 +0200 Subject: Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com <http://www.freexri.com/> From: mar...@xd... To: ho...@ms... CC: ope...@li... As I said, I tried putting it into the @blog auth-res SEP, but it was too large. Anyway, here it is: -----BEGIN CERTIFICATE----- MIIEejCCA2KgAwIBAgIJAKnJ+co0VaVQMA0GCSqGSIb3DQEBBQUAMIGEMQswCQYD VQQGEwJBVDEPMA0GA1UECBMGVmllbm5hMQ8wDQYDVQQHEwZWaWVubmExETAPBgNV BAoUCEBmcmVlWFJJMR0wGwYDVQQDFBRAITdGNkYuRjUwLkE0RTQuMTEzMzEhMB8G CSqGSIb3DQEJARYSb2ZmaWNlQGZyZWV4cmkuY29tMB4XDTA4MDcwOTEyNTE1OFoX DTI4MDcwOTEyNTE1OFowgYQxCzAJBgNVBAYTAkFUMQ8wDQYDVQQIEwZWaWVubmEx DzANBgNVBAcTBlZpZW5uYTERMA8GA1UEChQIQGZyZWVYUkkxHTAbBgNVBAMUFEAh N0Y2Ri5GNTAuQTRFNC4xMTMzMSEwHwYJKoZIhvcNAQkBFhJvZmZpY2VAZnJlZXhy aS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVS2u8ry9oTT2g Dv04fEJLadNrmRDQlz/y57BowVzNBuMTAXcBrGBytiezvOIgcqkWKnDdz1b8w29O QKAOF3OEUcgtlsb6p8RYBSH6+Qh5Z1VFEymwjF4X/msRfPyGMgv+sIksdsprkK74 KiDAkC+qnRbXPi+K8vIzpWFNKzY7CyvEV601gXCvbu6CR4vLWEnjm1rOZL95/kWO ylbiy/B84bUi3chituS7F0DebfFLCr/6P73Q+KRHa6hW+rOl6ICbRn/Lg9Yq0/ZM ScRpOHE/PXZ/wIrl4bDw6GaR3S/s3+4xs968dGgYlGiUw6ZetAOZmD7j2cHoo9Ar XSxPViSLAgMBAAGjgewwgekwHQYDVR0OBBYEFMD4HaZ8ZptQgRKG8wL3B77CVJhT MIG5BgNVHSMEgbEwga6AFMD4HaZ8ZptQgRKG8wL3B77CVJhToYGKpIGHMIGEMQsw CQYDVQQGEwJBVDEPMA0GA1UECBMGVmllbm5hMQ8wDQYDVQQHEwZWaWVubmExETAP BgNVBAoUCEBmcmVlWFJJMR0wGwYDVQQDFBRAITdGNkYuRjUwLkE0RTQuMTEzMzEh MB8GCSqGSIb3DQEJARYSb2ZmaWNlQGZyZWV4cmkuY29tggkAqcn5yjRVpVAwDAYD VR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAUMEIjxWugVz47gCw/fwDAug7 nVnyyYoVwW3YlHwBODJvPmy2fuFHHSznKs8Z+1oqEPTq98NXGbGIrojBuywTDTHp VPMZG4uwbRc4P3YlLWV78VU2agfC3w7VZe0wm77r+SWdIWsBwsbY1c9YT9oFgIQP Zr3xfsszcR+8BqUOia4J4H8ld/5VRGTEA4hYLf0okNgQH3YjC+ewX4MxJbuCL/wp IZVoq9YZ+ug8IvKldDpM1VkBy9Ozn6eJGZgdnOt1dvwbkvGEE/IgOjRSiWNKTxl7 DMMOPvDQoqkwlHHcoULacIxAHTD4EOQV8IQ4ucrA1SUHMMgYMERvgJqe7Ae4DQ== -----END CERTIFICATE----- Sorry, I said earlier it's the same as the one I'm using for HTTPS, but I was wrong. It's a self-generated one. Markus On Fri, Aug 14, 2009 at 10:43 PM, Peter Williams <ho...@ms...> wrote: ive got a trial setup where I can now request and obtain a sig from freexri.org <http://freexri.org/> provider site. the sig fails at the RSA step - meaning I dont have the right public key in my root hint. can you send me the cert for the signing key, as a base64? Or just post it to the superior node (as a keyinfo in the @blog SEP of the At Authority) AtAuthority itself exhibits a saml media type, but doesnt sign its responses (redirecting to the freexri.org <http://freexri.org/> server). Udner the rules, the client resolver flags this as a partialexception - signature failed (since signing is mandatory, if requested). More design flaws in the std - the XRI part this time. The XRI standard can address the xmldsig part. Xmldsig does NOT mandate a marshalling format. XRI should have done that. Xmldsig is for document-signing as well as type-signing, and you have to marshall your types into a non-whitespace format (before signing/verifying) - to get interoperability. _____ Date: Fri, 14 Aug 2009 22:31:08 +0200 Subject: Re: [Openxri-users] I installed the latested OpenXRI on www.freexri.com <http://www.freexri.com/> From: mar...@xd... To: ho...@ms... CC: ope...@li... see inline On Fri, Aug 14, 2009 at 8:48 PM, Peter Williams <ho...@ms...> wrote: I merged with the head. My subtypes work fine, still. 1. you can eliminate DisoverSignTest. it is essentially now equivalent to SignTest, since you now have it using the XRD type. I will keep it private, where it exercises XRDDiscover subclass - which signs the XRD itself, rather than signing a enveloped-saml-assertion of the XRD. [Markus] done 2. in confirmed that I can verify a signature, from my localhost responder. 3. if you use the admin console to store an SEP for an authority, the db stores it with the original indentation. This is passed through to the marshalled wireform "as-is", and is signed in its original identation model. (This is a big error in the way the standard was formulated for xmldsig, IMHO, which didnt specify constrained marshalling rules for (cached and signed) XRDs that may exist at different levels in an XRDS resultstream) [Markus] Still strange that in @blog*lockbox almost everything is without indentation except for a ds:KeyInfo element. I know that those ds:KeyInfo elements are treated specially by the Service class; it probably has something to do with this. I wasn't even aware that there are so huge problems with xmldsig. I thought that as a developer I can just "hand" my DOM to an xmldsig library, which will take care of all the marshalling / normalizing / etc stuff for me. Apparently not. 4. assuming the official AtAuthority is happy to pass on a saml-based resolution request to the provider of @blog, I will now attempt to resolve against the xri: @blog*lockbox using the very same client resolver code as has just verified a signature from the provider of (@blog*lockbox)*peter2. 6. is there an actual authority record for @, and does it's auth-res SEP pointing at *blog have a keyinfo for the servercert.pem? [Markus] Hmm yes I guess if you ask @ for the XRD for *blog, then the auth res SEP should contain the keyinfo with the servercert.pem that is then used to sign the XRDs for @blog*... I just tried putting it in there, but unfortunately I hit a limit in the central registry that doesn't allow SEPs larger than 2048 chars :) Currently I'm using the key / cert that I'm also using for HTTPS (e.g. https://resolve.freexri.com/ns/@blog/*lockbox). Maybe I should use a smaller, self-generated one instead. You can ask the authority resolution server of @blog for a self-describing XRDS (at http://resolve.freexri.com/ns/@blog/), and you'll see the keyinfo there, but I guess that doesn't really help, because self-describing XRDses are not used by the resolver logic... 7. OR, should I put the keyinfo in the AtAuthority root hint stored locally in the resolver client? [Markus] The @ and = root authorities themselves don't support SAML trusted resolution, so I think there's no point in putting keyinfos into the resolver's built-in hints. _____ Date: Tue, 11 Aug 2009 21:33:15 +0200 Subject: I installed the latested OpenXRI on www.freexri.com <http://www.freexri.com/> From: mar...@xd... To: ho...@ms... CC: ope...@li... And I can get XRDs with SAML assertions, e.g. with this CURL command curl -H "Accept: application/xrds+xml;saml=true" http://resolve.freexri.com/ns/@blog/*lockbox Cool. For some reason it seems there is still some indentation in the produced XRDSes. I'm also using the latest OpenXRI client library in these tools now: http://www.freexri.com/tools/XRIResolution/ http://www.freexri.com/tools/XRIExplorer/ Unfortunately, if I turn on saml=true and try to resolve @blog*lockbox (or any other community i-name from freexri.com <http://freexri.com/> ), I get "Signature verification failed.". Maybe that has to do with the above mentioned indentation. Markus ---------------------------------------------------------------------------- -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Openxri-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openxri-users ---------------------------------------------------------------------------- -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Openxri-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openxri-users ---------------------------------------------------------------------------- -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Openxri-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openxri-users ---------------------------------------------------------------------------- -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Openxri-users mailing list Ope...@li... https://lists.sourceforge.net/lists/listinfo/openxri-users |
From: Peter W. <ho...@ms...> - 2009-08-24 09:56:56
|
# This patch file was generated by NetBeans IDE # Following Index: paths are relative to: C:\Users\Administrator\Documents\NetBeansProjects\trunk\openxri-server-logic\src\main\java\org\openxri # This patch can be applied using context Tools: Patch action on respective folder. # It uses platform neutral UTF-8 encoding and \n newlines. # Above lines and this line are ignored by the patching process. Index: config/impl/PropertiesProxyConfig.java --- config/impl/PropertiesProxyConfig.java Base (BASE) +++ config/impl/PropertiesProxyConfig.java Locally Modified (Based On LOCAL) @@ -209,6 +209,24 @@ return authorities.split("\\s+"); } + public String[] getCommunityAuthorities() { + + String commauthorities = this.config.getProperty(ProxyConfig.COMMUNITY_AUTHORITIES, null); + if (commauthorities == null) { + return new String[0]; + } + return commauthorities.split("\\s+"); + } + + public XRD getCommunityAuthority(String ca) + throws URISyntaxException, ParseException + { + String sDescriptor = this.config.getProperty(ca); + + return XRD.parseXRD(sDescriptor, false); + + } + public void setMaxBytesPerRequest(int maxBytesPerRequest) { this.setProp(ProxyConfig.MAX_BYTES_PER_REQUEST, Integer.toString(maxBytesPerRequest)); Index: config/ProxyConfig.java --- config/ProxyConfig.java Base (BASE) +++ config/ProxyConfig.java Locally Modified (Based On LOCAL) @@ -28,6 +28,7 @@ public static final String SAML_BYPASS_AUTHORITIES = "SamlBypassAuthorities"; public static final String BARE_XRI_NOTFOUND_REDIRECT = "BareXRINotFoundRedirect"; public static final String ROOT_REDIRECT = "RootRedirect"; + public static final String COMMUNITY_AUTHORITIES = "CommunityAuthorities"; public static final String DEFAULT_MAX_FOLLOW_REDIRECTS = "10"; public static final String DEFAULT_MAX_FOLLOW_REFS = "10"; @@ -139,4 +140,7 @@ public void setRootRedirect(String rootRedirect); + public String[] getCommunityAuthorities(); + + public XRD getCommunityAuthority(String ca) throws URISyntaxException, ParseException; } Index: proxy/impl/BasicProxy.java --- proxy/impl/BasicProxy.java Base (BASE) +++ proxy/impl/BasicProxy.java Locally Modified (Based On LOCAL) @@ -89,9 +89,19 @@ this.resolver.setAuthority("=", this.config.getEqualsAuthority()); this.resolver.setAuthority("@", this.config.getAtAuthority()); this.resolver.setAuthority("!", this.config.getBangAuthority()); + } catch (Exception ex) { throw new ProxyException("Cannot initialize Resolver. Check the =, @ and ! root authorities.", ex); } + try { + String[] commAuthorities = this.config.getCommunityAuthorities(); + for (int i = 0; i < commAuthorities.length; i++) { + XRI x = XRI.fromURINormalForm(commAuthorities[i]); + this.resolver.setAuthority(commAuthorities[i], this.config.getCommunityAuthority(commAuthorities[i])); + } + } catch (Exception ex) { + throw new ProxyException("Cannot initialize Resolver. Check the Community authorities.", ex); + } String[] supports = this.config.getSupportedResMediaTypes(); if (supports != null) { |
From: Markus S. <mar...@xd...> - 2009-08-23 22:34:42
|
Hello, I revisited an old use case that has come up in the XRI TC a few times: If you have an i-name, how can a third party i-service provider add a SEP to your XRD in order to point to their service? The scenario we talked about a few times was a "Busy Status" provider which would indicate whether you are available/busy/etc. This provider could display your status page at =yourname/(+busy), but how does an appropriate SEP get installed in the user's XRD, without the user having to add it manually at the i-broker? No problem with OAuth, I said to myself, and so here are 2 demo "Busy Status" providers for your i-name: busystatus.com is a simple, easy-to-use provider that allows you to indicate your Busy Status with a simple checkbox - either you are busy or not! buzymazterz.com on the other hand is for those who love a rich feature set. It allows you to choose between FOUR different Busy Statuses and even enter a textual description for your personal Busy Status page! So.. You can now choose between one of the above Busy Status providers. You go to their site, sign in with your i-name, configure your Busy Status, and then click on "Set up your i-name", which will try to configure your i-name on your behalf via OAuth. After that, people should be able to view your Busy Status via =yourname/(+busy) or =web*yourname/(+busy) or whatever your i-name is. You can even switch between the two providers if you're not happy with your current one. The only missing piece right now in this demo is how can those providers (which are consumers in the OAuth terminology) discover the i-broker's OAuth endpoints? Currently in the demo this is hardcoded, i.e. the above only works with i-names from freexri.com or fullxri.com. Here are my questions to anyone who reads this.. 1. How does OAuth Discovery fit into this? I assume the way it should work is that every i-name's XRD should have a SEP of type http://oauth.net/discovery/1.0, which would point to another XRD that contains all the OAuth Discovery stuff. Then any third party i-service could be registered with any i-name. 2. Is this just useful in the XRI world, or would it also make sense for non-XRI XRDs? This could be relevant to some very recent topics of the XRI TC. Joseph mentioned a CRUD API for XRD. Would it make sense to expose this whole API via OAuth? Would it be good practice for XRDs on the web with an OpenID SEP (uh, excuse me, I mean link) to also have an OAuth link that allows modifications to the XRD itself? 3. Currently the freexri.com and fullxri.com OAuth endpoints only support a single operation: "Add SEP to XRD". The OAuth details are described here: http://oauth.freexri.com. I know that there are some true OAuth experts on this list :) If you have time, maybe you could review what I wrote on that page, since this is the first time I do anything with OAuth. In the XDI world, the same pattern could be used if a third party provider wants to add XDI statements to a user's XDI context on their behalf. Markus |