openId - sorua
michael.platzer at knallgrau.at
Tue Jul 12 00:16:39 PDT 2005
May I introduce you to SORUA (http://www.sorua.net), a strikingly
similar initiative, with the same underlying concepts and goals as
openId (at least as far as i can tell). And I am one of the co-authors
of the sorua-specification (http://www.sorua.net/specification).
We just finalized the specifications (not necessarily meaning that these
are frozen forever), and now try to get people to integrate it into
their software/service. We already got consumer/server running on
twoday.net and on some other german-speaking weblog-hosts, we got a
typekey-bridge and we provide Mt-plugins. After launching the new
website a couple of days ago, i stumbled across openid... And fell on my
nose after i saw that LiveJournal, resp Brad is behind that project,
meaning that it is very likely to be widely adopted. Which is good,
really good, since it solves the same problem that we tried to solve.
But it's just (a tiny bit) bad for my ego :-)
Reason why i write to this list here is, that i would like to outline
the differences between sorua and openid. So, right now i would say that
the following holds true:
* Sorua does not provide AuthServer-Uri-detection as openId does.
We intentionally skipped that part, so that we don't require a html
* OpenId is more flexibel, that it allows separation of Identity and Server.
A smart concept, which we should have thought about too, but this also
requires the html parsing part.
* OpenId defines the Identity to be a Uri, sorua defines it as
'AuthServer + Username' (e.g. twoday.net:michi).
Does that mean that i *need* to have a blog/uri, to use openId? With
sorua you could also be del.icio.us:klemens or flickr.com:jürgen
(non-ascii!). Over here in Europe not everybody got a blog :-) Still the
Server can associate a url with my Identity by passing along 'url:...'
in the verification response.
Another question: The example on http://www.openid.net/ says 'Hello,
Brad! You're now logged in to someblog.com as Brad from LiveJournal'.
How does the consumer know that i'm 'Brad' or that i come from
'LiveJournal', i.e. how can it determine these strings from my Identity?
* OpenId has a convention with input field names, which is smart and
which we should also adopt
* OpenId recommends shared keys, resp. recommends encrypted shared keys
(but does not require them? also on the server-side?)
Against what kind of attacks is a shared key necessary? I couldn't
find any pointers or discussions about that on the mailing list. We use
a differenct concept with a single random token generated by the
AuthServer, and this seems sufficient to me.
* With sorua the UserServer never has to cache anything.
That's my list so far. Any feedback/clarifications highly appreciated.
I still see a future for sorua, especially since the server, as well as
the consumer side is from my point of view a lot easier to implement (we
defined simplicity as one of our main goals). Maybe the two projects can
learn something from each other, and benefit both from that.
greetings from vienna,
More information about the yadis