Blog URI, is it necessary?

Paul Crowley paul at
Mon Jun 6 11:53:57 PDT 2005

Ben Hyde wrote:
> The idea was to allow the ID server to participate in the 
> cannibalization process.   So if you entered the ID 
> server might return  This has a lot of nice 
> features (usability, privacy, functional).  But it also has a serious 
> privacy flaw, as Martin pointed out.  For example if alice visits mr. 
> evil anonymously he can, without her permission, attempt to 
> authenticator at and his reward is suddenly he knows 
> that this anonymous visitor is alice.  Bleck.

It would be possible to prevent that, but complex.  The ID server would 
only return this after the user had given that trust_root permission. 
But then the client would have to essentially go through the 
verification process again, using cached data where possible.  Otherwise 
I type in, and my ID server tells the consumer "actually, 
this is" and the consumer believes it...

It doesn't seem impossible, but it can wait for another protocol 
revision: openid.capabilities=redirection...
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list