openId - sorua

Michael Platzer michael.platzer at
Tue Jul 12 00:16:39 PDT 2005


May I introduce you to SORUA (, a strikingly 
similar initiative, with the same underlying concepts and goals as 
openId (at least as far as i can tell). And I am one of the co-authors 
of the sorua-specification (
We just finalized the specifications (not necessarily meaning that these 
are frozen forever), and now try to get people to integrate it into 
their software/service. We already got consumer/server running on and on some other german-speaking weblog-hosts, we got a 
typekey-bridge and we provide Mt-plugins. After launching the new 
website a couple of days ago, i stumbled across openid... And fell on my 
nose after i saw that LiveJournal, resp Brad is behind that project, 
meaning that it is very likely to be widely adopted. Which is good, 
really good, since it solves the same problem that we tried to solve. 
But it's just (a tiny bit) bad for my ego :-)
Reason why i write to this list here is, that i would like to outline 
the differences between sorua and openid. So, right now i would say that 
the following holds true:
* Sorua does not provide AuthServer-Uri-detection as openId does.
  We intentionally skipped that part, so that we don't require a html 
* OpenId is more flexibel, that it allows separation of Identity and Server.
  A smart concept, which we should have thought about too, but this also 
requires the html parsing part.
* OpenId defines the Identity to be a Uri, sorua defines it as 
'AuthServer + Username' (e.g.
  Does that mean that i *need* to have a blog/uri, to use openId? With 
sorua you could also be orürgen 
(non-ascii!). Over here in Europe not everybody got a blog :-) Still the 
Server can associate a url with my Identity by passing along 'url:...' 
in the verification response.
  Another question: The example on says 'Hello, 
Brad! You're now logged in to as Brad from LiveJournal'. 
How does the consumer know that i'm 'Brad' or that i come from 
'LiveJournal', i.e. how can it determine these strings from my Identity?
* OpenId has a convention with input field names, which is smart and 
which we should also adopt
* OpenId recommends shared keys, resp. recommends encrypted shared keys 
(but does not require them? also on the server-side?)
  Against what kind of attacks is a shared key necessary? I couldn't 
find any pointers or discussions about that on the mailing list. We use 
a differenct concept with a single random token generated by the 
AuthServer, and this seems sufficient to me.
* With sorua the UserServer never has to cache anything.
That's my list so far. Any feedback/clarifications highly appreciated.

I still see a future for sorua, especially since the server, as well as 
the consumer side is from my point of view a lot easier to implement (we 
defined simplicity as one of our main goals). Maybe the two projects can 
learn something from each other, and benefit both from that.

greetings from vienna,
  Michael Platzer


More information about the yadis mailing list