mart at degeneration.co.uk
Wed May 18 06:31:55 PDT 2005
Christopher Schmidt wrote:
> 1. It leads to confusion over what you might be authenticating
> against. Even if I can be crschmidt at livejournal or
> crschmidt at deadjournal or crschmidt at plogs, I don't want to be all of
> those at once: I should pick one.
Remember that you're not authenticating as "crschmidt at livejournal",
you're asking LiveJournal to assert that you are (for example)
http://crschmidt.net/. There's no implication that http://crschmidt.net/
and http://crschmidt.livejournal.com/ are the same identity just because
they are both being asserted by the same server.
By specifying multiple ID servers on your site, you are saying "all of
these servers will tell you I'm http://crschmidt.net/". If you've listed
http://www.livejournal.com/misc/openid.bml as your ID servers, the
consumer might have http://nastyspammer.net/openid on a blacklist of ID
servers that it doesn't trust but be okay with using LiveJournal.
Both would result in you appearing as http://crschmidt.net/, assuming
that those servers really do know you are you.
In the common case, where the consumer has no prejudice, it would be
free to use whichever it wants -- probably the first encountered.
(we could also think about what happens if the ID server is temporarily
unavailable, but asking consumers to make a bunch of different HTTP
requests might be unreasonable/unsafe.)
More information about the yadis