Allowing all sites access
mart at degeneration.co.uk
Wed May 18 14:35:43 PDT 2005
Andrew Ducker wrote:
> I've been trying to work out a reason I wouldn't allow any site to
> verify that http://andrewducker.livejournal.com/data/foaf is me - they
> can't think to check that address unless I type it in, and if they do,
> all it can check is that I'm also logged in as that user on that site.
> That being the case, will it be possible to state that I'd like to
> authorise all sites to verify my identity, rather than authorise them
> one at a time?
Oops. I guess I misinterpreted "site" as "identity server". I see what
you mean now.
The only case where it's really harmful is where a random site wants to
know "is Andrew viewing me?". Drama-like situations where you've had a
falling out with someone and they want to know if you are reading their
blog spring to mind. Other than that, there's not really any harm in it
because the sites can only find out if a specific ID applies, not a list
of all IDs that apply.
More information about the yadis