Blog URI, is it necessary?
paul at ciphergoth.org
Mon Jun 6 11:53:57 PDT 2005
Ben Hyde wrote:
> The idea was to allow the ID server to participate in the
> cannibalization process. So if you entered livejournal.com the ID
> server might return alice.livejournal.com. This has a lot of nice
> features (usability, privacy, functional). But it also has a serious
> privacy flaw, as Martin pointed out. For example if alice visits mr.
> evil anonymously he can, without her permission, attempt to
> authenticator at livejournal.com and his reward is suddenly he knows
> that this anonymous visitor is alice. Bleck.
It would be possible to prevent that, but complex. The ID server would
only return this after the user had given that trust_root permission.
But then the client would have to essentially go through the
verification process again, using cached data where possible. Otherwise
I type in ciphergoth.org, and my ID server tells the consumer "actually,
this is bradfitz.com" and the consumer believes it...
It doesn't seem impossible, but it can wait for another protocol
\/ o\ Paul Crowley, paul at ciphergoth.org
More information about the yadis