LJ-specific: asserting off-site FOAF URLs
Brad Fitzpatrick
brad at danga.com
Tue May 17 11:59:27 PDT 2005
LiveJournal users,
The LJ yadis server can now assert your external FOAF URLs, but only if
you give it an extra restriction about only matching on your ljusername
(or rather, the SHA1 of it).
For example, http://bradfitz.com/foaf.xml has:
<yadis:identityServer>http://www.livejournal.com/misc/yadis.bml?ljuser_sha1=9233b6f5388d6867a2a7be14d8b4ba53c86cfde2</yadis:identityServer>
And I've told LiveJournal that http://bradfitz.com/foaf.xml is me.
This is necessary because otherwise attacker.livejournal.com could also
say his offsite FOAF is http://bradfitz.com/foaf.xml and who's LiveJournal
to believe? So your offsite FOAF has to say who's telling the truth.
NOTE TO CLIENT AUTHORS: respect existing URL arguments in the identity
server. Don't just tack on a question mark.
NOTE TO SERVER AUTHORS: I'm sure some client authors will forget, so you
might want to treat a duplicate "?" as a "&", but you may not have control
over that, so put pressure on client authors to do the right thing.
- Brad
More information about the yadis
mailing list