Securing HTML vs securing HTTP
jens at mooseyard.com
Tue Jan 24 18:08:03 UTC 2006
On 24 Jan '06, at 8:11 AM, Christopher Schmidt wrote:
> I can't modify my Yahoo profile page to respond to them -- but
> yahoo can set up OpenID headers that have information about the
> and send those dynamic requests to someplace that *does* allow for
> changing the contents based on query args.
But you're still dependent on Yahoo to change their software to add
the <link> tag or the HTTP header. My hunch is that talking them into
doing that would be harder than talking them into being an OpenID
server in their own right. (Yahoo would not be happy with letting
some random ID server be in charge of vouching for someone's identity
as a Yahoo member.)
The trade-off seems to be between who gets to use the same URL for
identity and "home page":
(a) With LID, those who have dynamic pages can have the same URL.
Those limited to static pages can't.
(b) With OpenID, those who have static pages can have the same URL.
Those who have dynamic pages could have the same URL, but security
issues make this an unwise idea in almost all cases, so they are
safer making a new static URL.
It seems a little backwards to me to give precedence to people with
fewer capabilities. I don't think such people tend to be early
adopters of anything (other than Comic Sans and fluorescent page
backgrounds). The early adopters of distributed-identity will be (a)
the geeks and pundits who eagerly adopt new Internet technologies;
and (b) bloggers and journalers. The first group will have no problem
with installing a script or plug-in as an identity server, the second
group will get it for free when their blog software or host site adds
it as a feature.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the yadis