Blog URI, is it necessary?

Paul Crowley paul at ciphergoth.org
Mon Jun 6 11:53:57 PDT 2005


Ben Hyde wrote:
> The idea was to allow the ID server to participate in the 
> cannibalization process.   So if you entered livejournal.com the ID 
> server might return alice.livejournal.com.  This has a lot of nice 
> features (usability, privacy, functional).  But it also has a serious 
> privacy flaw, as Martin pointed out.  For example if alice visits mr. 
> evil anonymously he can, without her permission, attempt to 
> authenticator at livejournal.com and his reward is suddenly he knows 
> that this anonymous visitor is alice.  Bleck.

It would be possible to prevent that, but complex.  The ID server would 
only return this after the user had given that trust_root permission. 
But then the client would have to essentially go through the 
verification process again, using cached data where possible.  Otherwise 
I type in ciphergoth.org, and my ID server tells the consumer "actually, 
this is bradfitz.com" and the consumer believes it...

It doesn't seem impossible, but it can wait for another protocol 
revision: openid.capabilities=redirection...
-- 
   __
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/


More information about the yadis mailing list