Seemless Single Signon

[Sam Ruby]

Martin Atkins wrote:
> 
> Sorry. I misunderstood what you were saying. It is true that the 
> signature request can happen without making any kind of request to the 
> consumer site in the presence of some OpenID-specific code in the 
> browser. That is what the "Browser Login Plugin" thread was all about, 
> in fact. My post at the head of that thread essentially proposed what 
> you are proposing, albeit with a different user interface and discovery 
> mechanism:
> 
>     <http://lists.danga.com/pipermail/yadis/2005-May/000087.html>

I missed the importance of that thread in my initial scan.  I agree that 
that is essentially the same idea, though many of the specifics are 
different.

> A form naming convention would serve the same purpose as the HEAD 
> metadata I proposed, if perhaps making it a little harder to "discover" 
> the necessary information.
> 
> The only part that cannot currently be automated is the approval on the 
> ID server. For that to work, there would need to be some kind of 
> protocol for the plugin/bookmarklet/filter/whatever to tell the ID 
> server behind the scenes that the site is approved. Of course, this must 
> be designed with an appropriate amount of care to avoid websites 
> pre-approving a user themselves.

I don't fully understand that requirement.

Ultimately, one server gets a token which represents an assertion that 
somebody who owns (or p0wns, but I digress), a given website made posted 
this data.

The sole responsibility of the website is to validate that assertion. 
That could be done via a simple web interface.  Or it could be done by 
providing a public key (something that doesn't change, so it is very 
cachable).

 From the user's point of view, they are the ones authoring the post. 
Why do they need to give themselves permission to do so?

What am I missing?

- Sam Ruby