OpenID (v2.0) already supports the Yadis protocol, and its uses is mandatory for ESG OpenID Providers. If I HTTP GET a user's identity URI, I get a document containing the OpenID Provider endpoint:
Extending this I can include the corresponding MyProxy and the Attribute Service URIs:
<?xml version="1.0"; encoding="UTF-8"?> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"> <XRD> <Service priority="0"> <Type>http://specs.openid.net/auth/2.0/signon</Type> <Type>http://openid.net/signon/1.0</Type> <URI>https://openid.provider.somewhere.ac.uk</URI> <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID> </Service> <Service priority="1"> <Type>urn:esg:security:myproxy-service</Type> <URI>socket://myproxy-server.somewhere.ac.uk:7512</URI> <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID> </Service> <Service priority="20"> <Type>urn:esg:security:attribute-service</Type> <URI>https://attributeservice.somewhere.ac.uk</URI> <LocalID>https://somewhere.ac.uk/openid/PJKershaw</LocalID> </Service> </XRD> </xrds:XRDS>
The priority attribute for each <Service/> element lets the client know which is the preferred service for authentication. The Attribute Service is of course not an authentication service but I'd argue it has a place here as it is an identity service. [17/03/11 - Note correction for this use case: each service element is in the single XRD element, not many XRD elements each with a single service element as I had before!]
Taking this a step further, I can combine it with MyProxy's provisioning functionality, the ability to provision a client with trusted CA certificates it needs to bootstrap trust.
Given an identity URI, I can:
- retrieve the Yadis document
- parse the MyProxy server endpoint
- retrieve the trust roots to bootstrap trust in the identity services for this identity URI.