<div><div>(I'm ashamed of my url to private key idea) ;)<br>
</div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">If consumers had private keys (which would suck as a requirement... too<br>much pain), then what do they get from signing a trackback? What does,
<br>say, LiveJournal benefit from getting a trackback that's singed from<br><a href="http://someblog.com">someblog.com</a>? That we know it came from someblog and can trust it? We<br>can't trust the contents... so that the origin is correct? I'm not
<br>bashing this idea... I just don't fully understand what's being<br>verified/protected.<br>
</blockquote><div><br>
We're verifying that the comment came from someblog. And we trust
someblog to *some extent* (because we shared our identity with it) - so
we'll trust it enough to post a trackback to a comment we made. The
purpose of this is that we can recieve notification of comments that we
post in the 'blogosphere', so that I an keep a track of comments I make.<br>
<br>
The consumer could also use their public key to sign any posts they
send to my weblog, so my identity server could tell my wordpress
install to trust someblog - then if our atom api recieves a request
with the querystring params
openid.trust_root=http://someblog/&openid.sig=... it'd know to
accept that post.<br>
<br>
It just seems a simple way to let consumers identify themselves to services other than the identity server.<br>
<br>
And the public key would be *totally* optional for consumers, but if we
add a recommendation that ID servers record the URLs to consumers
public keys, it gives us lots of flexibility with no additional work
for consumers, and minimal extra work for ID servers.<br>
<br>
Hope that makes more sense this time.<br>
<br>
Ben<br>
</div></div>