Sxip concerns with YADIS

Dick Hardt dick at sxip.com
Sun Dec 18 04:05:54 UTC 2005 

BACKGROUND:

We spent some time looking at YADIS to see how a persona-url could  
support multiple identity protocols, specifically, how could someone  
have a persona-url that worked with SXIP and the protocols currently  
working with YADIS.

We think that the blogosphere will likely be the source of many of  
the early adopters of an identity system, and that the URL of their  
blog is something they think of as being part of their identity, and  
is one of their personas. The URL is a unique identifier, and we call  
it a persona-url.

The persona-url points to an HTML page that contains markup that  
allows an identity system to discover information about the persona.  
YADIS is about allowing Relying Partys (RP) to understand what  
protocol a persona-url supports.[1]

The YADIS Capability Discovery Protocol [2] requires the persona-url  
to return either an HTML page that contains a link (capabilities-url)  
to an XRDS XML file , or an XRDS XML file

Assuming the premise that most persona-urls will point to HTML pages,  
most of the time the RP will have to fetch two documents, and that  
*ALL* RPs will have to have an XML parser.

ISSUES:

1) Performance
	- double the number of GETs for all HTML persona-urls
	- XML parsers take time to load and parse a file

2) Security
	- the user needs control over both the pesona-url AND the  
capabilities-url to secure their identity. Double the URLs, double  
the risk.

3) Implementation
	- all major web development platforms have high performance HTML  
parsers that present the document as a DOM. XML parsing is common,  
but is more complex than manipulating a DOM, and another thing for  
the developer to figure out.
	- getting two files requires more code, and more chances of  
something being broken

SUGGESTION:

We liked the way that OpenID worked earlier with a LINK tag in HTML:

	<link rel="openid.server" href="http://bob.com/openid-server.app" >

We will have a LINK tag that looks something like this:

	<link rel="dix-homesite" href="http://homesite.com/sxip-server.app"  
class="dix:/core#1 dix://sxip.net/siple#1" >

And think that LID could have a tag like this:

	<link rel="lid.capabilities"  type="application/xrds+xml"  
href="http://myid.example.com/capabilities">

Given that most protocols will have their own ways of describing what  
it can do, we don't see value in a common capability file.


[1] http://yadis.org/wiki/Main_Page#What.27s_this_all_about.3F

[2] http://yadis.org/wiki/Protocol

More information about the yadis mailing list