<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; "><BR><DIV><DIV>On 24 Jan '06, at 10:24 AM, Josh Hoyt wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite"><P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Verdana" size="3" style="font: 11.0px Verdana">With OpenID, you have to depend on</FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Verdana" size="3" style="font: 11.0px Verdana">dynamic software to insert one, straightforward <link> tag in a Web</FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Verdana" size="3" style="font: 11.0px Verdana">page. With LID, you have to depend on the software to dispatch to the</FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Verdana" size="3" style="font: 11.0px Verdana">LID code to actually perform the operation. I think that making sure a</FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Verdana" size="3" style="font: 11.0px Verdana">small bit of HTML or an http header is correct is a much simpler</FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Verdana" size="3" style="font: 11.0px Verdana">operation than ensuring that all of your identity service dispatching</FONT></P> <P style="margin: 0.0px 0.0px 0.0px 0.0px"><FONT face="Verdana" size="3" style="font: 11.0px Verdana">is working correctly.</FONT></P> </BLOCKQUOTE></DIV><BR><DIV><SPAN class="Apple-style-span">Look back at my earlier messages in this thread. The issue isn't whether I trust the code that runs my identity mojo. As Johannes pointed out, I trust that code because I have no choice but to. The real issue is whether I trust the <I>other</I> dynamic code generating that page not to mess with the identity URLs.</SPAN></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><SPAN class="Apple-style-span">With OpenID, you have to trust <I>all</I> of the software that generates the page. That means that, if you already have a dynamic page using WordPress or Drupal or something like that, you have to trust that entire codebase, plus any 3rd party plug-ins you installed, plus any theme you're using. I trust that software enough to generate a home page and blog for me. I don't know if I trust it with my Internet-wide identity.</SPAN></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>With LID, since the identity URL is distinct from the home-page URL, I can easily add a redirect to my .htaccess to have a separate script manage my identity. I am much more willing to trust that single-purpose script.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Does that make more sense?</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>--Jens</DIV></BODY></HTML>