The reliance on Content-type
Drummond Reed
drummond.reed at cordance.net
Mon Nov 14 18:51:35 PST 2005
FWIW, in XRI resolution (which is only one use of XRDs), asking for the
content type "application/xrd+xml" is required. The goal is to leverage HTTP
content negotiation so that from one XRI that identifies the logical
resource, you can get different types of physical representations of that
resource (an XRD being just one more such representation) by specifying the
content type.
Using HXRIs (the HTTP URI form of an XRI -- see section 6 of
http://www.oasis-open.org/committees/download.php/15310/xri-resolution-V2.0-
wd-09.pdf), this would yield:
URL: http://xri.xdi.org/=drummond.reed
Content Type: application/xrd+xml
Return: XRD
URL: http://xri.xdi.org/=drummond.reed
Content Type: application/html
Return: Web page
URL: http://xri.xdi.org/=drummond.reed
Content Type: application/rdf
Return: RDF file
Again, YADIS need not have this same requirement of specifying a content
type; I'm just explaining how we're using it in XRI infrastructure.
I understand the challenge when a user can't set the content type mapping on
the HTTP server. But in that case, isn't the simplest solution to have the
user's login URL include the actual filename for the YADIS XRD file?
That way, if my server didn't understand application/xrd+xml mapping, and my
short URL was http://example.com/~drummond, I'd know my YADIS login URL
would be whatever I called my actual YADIS XRD file, i.e.:
http://example.com/~drummond/yadis.xml
In other words, rather than "magic filenames", just support: a) exact
URL-to-filename mapping for those users whose whose identity servers don't
recognize content negotation for YADIS XRD files, and b) HTTP content
negotation for users whose identity servers do recognize
"application/xrd+xml".
In the end the only difference is going to be whether you need to type a
filename at the end of your login URL or not.
But I may be missing something...
=Drummond
-----Original Message-----
From: yadis-bounces at lists.danga.com [mailto:yadis-bounces at lists.danga.com]
On Behalf Of David Recordon
Sent: Monday, November 14, 2005 1:55 PM
To: Ernst Johannes
Cc: Discussion OpenID
Subject: RE: The reliance on Content-type
I really do think it is a principal that overrides everything else in
relation to URL based digital identity schemes. We assume a server is
setup so access to a directory is the same for every file within it, but
the reality is I may one david.html and you own johannes.html and we
cannot edit each others; even though they are in the same directory. I
agree uploading a file may be slightly easier than editing your HTML
document, but the security tradeoff seems to kill the URL based model.
--David
-----Original Message-----
From: Ernst Johannes [mailto:jernst+lists.danga.com at netmesh.us]
Sent: Monday, November 14, 2005 1:28 PM
To: David Recordon
Cc: Discussion OpenID
Subject: Re: The reliance on Content-type
On Nov 14, 2005, at 12:45, David Recordon wrote:
> The issue with any of the URL based magic is that it doesn't work
> along with the concept of owning a single URL.
I agree with the statement, but I'm not certain any more that this is a
principle that overrides everything else. (as much as I like REST, ...)
For example, the case has been made that it is much simpler for Joe User
to upload an additional file to his website than it is to change his
HTML head entry or the script that runs at that URL. Based on gut feel,
this sounds right.
More information about the yadis
mailing list