Securing HTML vs securing HTTP
crschmidt at crschmidt.net
Tue Jan 24 16:11:50 UTC 2006
On Mon, Jan 23, 2006 at 09:16:53PM -0800, Jens Alfke wrote:
> A different one is for the protocol to derive the ID URL from the
> home/blog URL. Users only see the latter. This is in effect what LID
> does, by appending query parameters to the URL for all of its
> protocol operations. The counter-argument, from the OpenID home page
> is that this "Assumes that identity URLs are dynamic documents that
> can handle fancy URL parameters. Not true in real life, which is key
> for adoption." I'm not sure why this isn't true in real life — maybe
> Brad can explain?
There are still a huge number of pages out there which are not
dynamically generated, or are created by code that users don't have the
ability to modify, etc. I can't set up Geocities to respond to query
params. I can't modify my Yahoo profile page to respond to them -- but
yahoo can set up OpenID headers that have information about the servers,
and send those dynamic requests to someplace that *does* allow for
changing the contents based on query args.
Static HTML still makes up a majority of the internet.
More information about the yadis