Allowing all sites access
Martin Atkins
mart at degeneration.co.uk
Wed May 18 14:30:07 PDT 2005
Andrew Ducker wrote:
> I've been trying to work out a reason I wouldn't allow any site to
> verify that http://andrewducker.livejournal.com/data/foaf is me - they
> can't think to check that address unless I type it in, and if they do,
> all it can check is that I'm also logged in as that user on that site.
>
> That being the case, will it be possible to state that I'd like to
> authorise all sites to verify my identity, rather than authorise them
> one at a time?
>
The authorization state is stored within each ID server, so that's not
really feasible.
The only way LiveJournal can verify non-LJ URLs is by including a hash
of your username in the identity server URL. Since you control your
Identity URL, you decide which username is hashed and included in the
URL and thus can control which LJ user is able to assert that identity.
Theoretically you could also have each identity server keep a list of
assertable identities, but even in that case each identity server would
have to be approved separately as identity servers don't talk to each
other (necessarily).
More information about the yadis
mailing list