Andy Dale posted posted some cautions in response to my post on using XRDS. He later summarized his concerns very succinctly:

SEPs in XRDS must be considered self asserted claims and as such should not be trusted on their face. Service Providers should publish the mechanisms by which SEP claims should be validated to be about a specific subject (authenticated identifier).
From The Tao of XDI
Referenced Tue Jun 05 2007 13:48:15 GMT-0600 (MDT)

For an authentication service, this isn't a problem. If I claim is my authentication service, the method for a relying party to check that claim is obvious: have me authenticate. If I claim a phone number as my contact, however, that's no more trustworthy than if I emailed you a phone number. You need to use other factors to determine whether you trust that assertion or not. There's nothing in XRDS that provides that trust layer.

Please leave comments using the sidebar.

Last modified: Thu Oct 10 12:47:19 2019.