OpenID (v2.0) already supports the Yadis protocol, and its uses is mandatory for ESG OpenID Providers. If I HTTP GET a user's identity URI, I get a document containing the OpenID Provider endpoint:
Extending this I can include the corresponding MyProxy and the Attribute Service URIs:
<?xml version="1.0"; encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
<XRD>
<Service priority="0">
<Type>http://specs.openid.net/auth/2.0/signon</Type>
<Type>http://openid.net/signon/1.0</Type>
<URI>https://openid.provider.somewhere.ac.uk</URI>
<LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID>
</Service>
<Service priority="1">
<Type>urn:esg:security:myproxy-service</Type>
<URI>socket://myproxy-server.somewhere.ac.uk:7512</URI>
<LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID>
</Service>
<Service priority="20">
<Type>urn:esg:security:attribute-service</Type>
<URI>https://attributeservice.somewhere.ac.uk</URI>
<LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID>
</Service>
</XRD>
</xrds:XRDS>
The priority attribute for each <Service/> element lets the client know which is the preferred service for authentication. The Attribute Service is of course not an authentication service but I'd argue it has a place here as it is an identity service. [17/03/11 - Note correction for this use case: each service element is in the single XRD element, not many XRD elements each with a single service element as I had before!]
Taking this a step further, I can combine it with MyProxy's provisioning functionality, the ability to provision a client with trusted CA certificates it needs to bootstrap trust.
Given an identity URI, I can:
- retrieve the Yadis document
- parse the MyProxy server endpoint
- retrieve the trust roots to bootstrap trust in the identity services for this identity URI.