Browser Login Plugin

Sam Kramer slambo2001 at gmail.com
Thu May 19 16:47:13 PDT 2005 

Instead of public keys, what if the OpenID server randomly generates a
small key, and tells the consumer to use it to encode the trackback? 
I like this better than having optional public keys for consumers
because instead of the consumer having the decision about securing
what they send, the OpenID server has the decision about requiring
what they receive to be secure.  If the server doesn't care about the
security, it shouldn't have to put up with decrypting the trackback
info.

Hope this makes some sense.
-Sam

On 5/19/05, Ben Nolan <bnolan at gmail.com> wrote:
> 
> (I'm ashamed of my url to private key idea) ;)
>   
> > If consumers had private keys (which would suck as a requirement... too
> > much pain), then what do they get from signing a trackback?  What does, 
> > say, LiveJournal benefit from getting a trackback that's singed from
> > someblog.com?  That we know it came from someblog and can trust it?  We
> > can't trust the contents... so that the origin is correct?  I'm not 
> > bashing this idea... I just don't fully understand what's being
> > verified/protected.
> > 
> 
>  We're verifying that the comment came from someblog. And we trust someblog
> to *some extent* (because we shared our identity with it) - so we'll trust
> it enough to post a trackback to a comment we made. The purpose of this is
> that we can recieve notification of comments that we post in the
> 'blogosphere', so that I an keep a track of comments I make.
>  
>  The consumer could also use their public key to sign any posts they send to
> my weblog, so my identity server could tell my wordpress install to trust
> someblog - then if our atom api recieves a request with the querystring
> params openid.trust_root=http://someblog/&openid.sig=...
> it'd know to accept that post.
>  
>  It just seems a simple way to let consumers identify themselves to services
> other than the identity server.
>  
>  And the public key would be *totally* optional for consumers, but if we add
> a recommendation that ID servers record the URLs to consumers public keys,
> it gives us lots of flexibility with no additional work for consumers, and
> minimal extra work for ID servers.
>  
>  Hope that makes more sense this time.
>  
>  Ben
>  
> _______________________________________________
> yadis mailing list
> yadis at lists.danga.com
> http://lists.danga.com/mailman/listinfo/yadis
> 
> 
>

More information about the yadis mailing list