Securing HTML vs securing HTTP
jens at mooseyard.com
Tue Jan 24 05:16:53 UTC 2006
On 23 Jan '06, at 5:15 PM, Kevin Turner wrote:
> There's a pretty straightforward way to address this concern. If you
> don't believe the code that generates your dynamic web page is
> trustworthy enough for your identity, don't use it. Instead of
> your identity URL at http://mooseyard.com/Jens/ , why not
> http://mooseyard.com/o , where "o" is a static page? Personally, I
> little utility in having the identifier I authenticate by as being
> precisely the same as the URL for my blog.
That's a good point, and one I was finding myself unwillingly led
My resistance to it is on the grounds of simplicity or elegance ...
not having too many entities. The URL I use for authentication
becomes my identity. It's what will be displayed at other sites.
People I associate with online will recognize me by it. People who
don't know me will follow that URL to see who I am. It becomes my
But that role of personal home page has already been taken by the
blog, for well-known reasons. It has nicer formatting than I would
create by hand. It always shows the latest things I've written, my
latest bookmarks and photos.
So one solution is to make the ID page a static page that has a name
and picture and a link to the blog.
A different one is for the protocol to derive the ID URL from the
home/blog URL. Users only see the latter. This is in effect what LID
does, by appending query parameters to the URL for all of its
protocol operations. The counter-argument, from the OpenID home page
is that this "Assumes that identity URLs are dynamic documents that
can handle fancy URL parameters. Not true in real life, which is key
for adoption." I'm not sure why this isn't true in real life — maybe
Brad can explain?
PS: I don't mean to march in and start being all argumentative. I
love this stuff, and I'm metaphorically kicking the tires pretty hard
to convince myself it's as good as I want it to be. No hard feelings,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the yadis