crschmidt at crschmidt.net
Wed May 18 06:55:25 PDT 2005
On Wed, May 18, 2005 at 02:31:55PM +0100, Martin Atkins wrote:
> Christopher Schmidt wrote:
> > 1. It leads to confusion over what you might be authenticating
> > against. Even if I can be crschmidt at livejournal or
> > crschmidt at deadjournal or crschmidt at plogs, I don't want to be all of
> > those at once: I should pick one.
> Remember that you're not authenticating as "crschmidt at livejournal",
> you're asking LiveJournal to assert that you are (for example)
> http://crschmidt.net/. There's no implication that http://crschmidt.net/
> and http://crschmidt.livejournal.com/ are the same identity just because
> they are both being asserted by the same server.
In this case, I'm either authenticating as "crschmidt at crschmidt.net"
or "crschmidt at livejournal": that's what crschmidt.livejournal.com is.
Where the identity server lies isn't the key there, just the assertion
> By specifying multiple ID servers on your site, you are saying "all of
> these servers will tell you I'm http://crschmidt.net/". If you've listed
> http://nastyspammer.net/openid and
> http://www.livejournal.com/misc/openid.bml as your ID servers, the
> consumer might have http://nastyspammer.net/openid on a blacklist of ID
> servers that it doesn't trust but be okay with using LiveJournal.
> Both would result in you appearing as http://crschmidt.net/, assuming
> that those servers really do know you are you.
Undertstandable, I suppose. My main concern is the one you bring up
> In the common case, where the consumer has no prejudice, it would be
> free to use whichever it wants -- probably the first encountered.
That's what I'd like to encourage. If I can use whichever one I come
across, then I don't really mind, and you bring up a good point with
your evilspammer example.
> (we could also think about what happens if the ID server is temporarily
> unavailable, but asking consumers to make a bunch of different HTTP
> requests might be unreasonable/unsafe.)
This is my concern: I don't want to be expected to check all the
identities, for example, for fear of upsetting those servers, or for
time. My Python client takes a decent amount of time to do the
authentication: if you're dealing with an entirely server-side auth
process, fetching those hits is time that the user is sitting there
wondering what the hell is taking so long :)
(Yes, I realize that this is one of the reasons there's an AJAX-ified
still black magic to me.)
"I don't work here, I just wish I did."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://lists.danga.com/pipermail/yadis/attachments/20050518/3fd3180f/attachment-0001.pgp
More information about the yadis