Securing HTML vs securing HTTP

Kevin Turner kevin at
Tue Jan 24 18:24:57 UTC 2006

On Mon, 2006-01-23 at 21:28 -0800, Johannes Ernst wrote: 
> > > Personally, I find little utility in having the identifier I
> > > authenticate by as being precisely the same as the URL for my
> > > blog. 
> I very much disagree.

I know that there are those who do, and I know that this "business card
use case" was a primary consideration in the design of YADIS, but it is
not a quality I put much value in for my own use.

> - If somebody types your name (or whatever details about you) into
> Google, don't you want the first URL to show up to be your identity
> URL?

Not really.  I consider my OpenID to be an identifier I authenticate
with.  It's for machines that speak the OpenID authentication protocol.
People who type my name into Google don't fall into that category.

> - If somebody tags "you" in, it's likely they will
> "accidentally" tag your blog instead of your identity URL.

Good -- tagging my blog is probably more useful to them.  (Not to claim
that tagging my blog is all that useful.)  My blog is something they can
read, OpenID is not.  And -- as it is a link sharing
mechanism, not a reputation system -- should be cataloging things that
are useful to read, not "me."

> - If you leave a comment on somebody else's web page, don't you want a
> click onto your identity URL to lead back to your blog?

Maybe a link to my blog would be appropriate there, or maybe a link to
contact me would be or maybe a link to look up my ranking on my
reputation server.  Or maybe it's in a community where linking to my
photography feed makes way more sense than linking to my blog.  Or maybe
it's not appropriate to publicly display my ID there at all, the system
should just publish my comment as coming from "a customer of 3 years."
Linking to a blog or home page is one use case, but not necessarily the
most important one.  Really, if the service wants something to link back
to, it should probably query my profile server about it.  That way it
can ask for the things that are relevant to it and use as many of them
as it wants or as few of them as I make available.

If I do decide there is one thing that is particularly important to
direct hypertext readers to if they happen to click on my OpenID
identifier, well, then I could put a link or a javascript redirect on
that page.  That would be pretty trivial, and can be done in a static
fashion without involving a lot of potentially untrusted code.


 - Kevin

(These views here are my own and do not necessarily reflect the policy
that my employers use in all our OpenID products.  Except for perhaps
the products where they left the design whiteboards out where I could
scribble on them.)

More information about the yadis mailing list