Super all-comprehensive specs/overview page

Paul Crowley paul at ciphergoth.org
Mon Jun 27 01:02:32 PDT 2005


Martin Atkins wrote:
> Regarding the identity delegation stuff, it says that in order to
> declare delegation you must include the following:
> <link rel="openid.server"
>       href="http://www.livejournal.com/openid/server.bml">
> <link rel="openid.delegate"
>       href="http://bob.livejournal.com/">

Eek.  This wasn't what I had intended - in fact, I considered proposing 
this as a change, but decided not to.  I had imagined that any given 
page would have at most one of these declarations, and that you'd follow 
the delegation chain until you got to a server declaration.

The advantage of doing it this way is that the consumer makes fewer GET 
requests.  The disadvantage is that you have to be very careful - you're 
making an OpenID request for "http://bob.livejournal.com/" on 
"http://www.livejournal.com/openid/server.bml", but you mustn't assume 
that the latter is actually the idserver for the former, only that this 
pair is the (delegate, idserver) pair for "http://bob.com/".

Otherwise you leave yourself open to a sort of cache poisoning attack 
like DNS.  Given how hard it is to specify DNS so as to avoid cache 
poisoning attacks, I'm really nervous of doing things this way; I'll be 
amazed if we never see an implementation that gets this one wrong...
-- 
   __
\/ o\ Paul Crowley, paul at ciphergoth.org
/\__/ http://www.ciphergoth.org/


More information about the yadis mailing list