I had a very good discussion this morning at OASIS Open XRI TC F2F Day 2.

I came up with the XRD SimpleSign Proposal - Three options on Certificate URI locations to chose from, and we discussed pros and cons of those options and came up with a fairly robust result.

See: http://wiki.oasis-open.org/xri/XrdOne/SimpleSign

The key here is to utilize X.509 v.2 field “SubjectUniqueIdentifier” to store CanonicalID into it.
By doing so, the XRD and the certificate is tightly coupled without the need to follow the resolution chain as it has been in XRI Resolution 2.0.

Thus, this XRD can trivially prove that it is authoritative for the entity with the CanonicalID (SubjectUniqueIdentifier), and can serve Public Key Cert: i.e., can be used for Public Key Discovery. Also, this XRD will describe what service this entity offers, or with what service this entity has preferred relationship with.

IMHO, it is a very powerful tool, and I am so excited with it.
It can add a security layer that OpenID et al. needed so badly.

It might change the world, at least in a small way

:hammer: