Progress and some thoughts

meepbear * meepbear at hotmail.com
Tue Jun 21 13:35:23 PDT 2005


I have a somewhat rough version of a consumer and server in PHP and a 
client/UA/server combination in C#. If the example generator outputs an 
accurate protocol trace then they should be alright :).

Some things don't make a lot of sense to me though. For example, you could 
eliminate half of the back and forth communication if the UA is the only one 
that talks to both the consumer and server, and both those two never 
directly talk to each other. They just need to exchange keys, but the UA can 
accomplish that and still be unable to spoof approval.
>From the archives it seems the old specification used public key exchange 
but I can't understand why it was dropped in favour of the current method.

The part where the server asks the user to confirm that they want the 
consumer to ID them seems unnecessary? Since I need to supply an URL and 
click a button, that would constitute approval already? Having to go through 
three forms (type in URL, server login and consumer approval) to confirm ID 
seems like too much trouble for most people to bother with each time when 
they're used to single sign-on.

This isn't meant as harsh criticism but just some things that popped into my 
head while I was trying to figure things out and implement everything.

_________________________________________________________________
Free blogging with MSN Spaces  http://spaces.msn.com/?mkt=nl-be



More information about the yadis mailing list