using the identity url to contain a key fingerprint
mart at degeneration.co.uk
Wed May 25 06:51:05 PDT 2005
Okay. I think I see what you're getting at this time.
I agree with you to a certain extent. OpenID is very specific to a
single use case and methodology. However, its advantage is that it works
*today* without any major changes to client software or a major learning
curve for users, and it is already capable of solving the particular
problem it was originally designed to solve: "Is this user Bob that has
posted on my site today the same Bob who posted last week, and the same
Bob who posted on Joe's site?"
Jean-Luc Delatre wrote:
> - *These* requirements can be very easily fullfilled by using a public
> key system and stating that
> the user ID *is* the public key!!!
> - In order to authenticate a login the website just need to ask the
> client side to sign some piece of text
> with his secret key, thus also providing along his public key which
> *is* the sought for user ID.
> Et voila!!!
I would *love* to see a proper public-key based login system as you
describe. I've been going around telling everyone what a great idea it
is for a long time. However, there is no way to do that without
modifying the client, and the client is a big, heavy, immovable object:
everyone uses a different client, and many people will never upgrade it.
Most importantly, there are millions of clients!
OpenID provides a working solution which works for websites today. It
does not provide a magic bullet for authentication needs in every
scenario by any stretch of the imagination, and it can in many respects
be described as a "giant hack", but it's a hack that works.
Most of our discussions here have been about refining the system and
attempting to make it more general or more secure without losing the
simplicity, which I think is a good goal.
To address your final point:
> If the deployment is awkward it will not take off, YOU WILL BE
I'd would argue that deployment of a client-only public-key system would
be far more awkward than OpenID, which requires only a change to the
server. There are far more clients than there are servers. I think
OpenID's simplicity is its primary virtue, actually.
However, even if for some reason this doesn't take off beyond
LiveJournal+clones and Movable Type/TypeKey it's already being used by a
very large portion of the "weblog" community, which was what it set out
to do in the first place.
All the best,
More information about the yadis