Progress and some thoughts
meepbear at hotmail.com
Tue Jun 21 13:35:23 PDT 2005
I have a somewhat rough version of a consumer and server in PHP and a
client/UA/server combination in C#. If the example generator outputs an
accurate protocol trace then they should be alright :).
Some things don't make a lot of sense to me though. For example, you could
eliminate half of the back and forth communication if the UA is the only one
that talks to both the consumer and server, and both those two never
directly talk to each other. They just need to exchange keys, but the UA can
accomplish that and still be unable to spoof approval.
>From the archives it seems the old specification used public key exchange
but I can't understand why it was dropped in favour of the current method.
The part where the server asks the user to confirm that they want the
consumer to ID them seems unnecessary? Since I need to supply an URL and
click a button, that would constitute approval already? Having to go through
three forms (type in URL, server login and consumer approval) to confirm ID
seems like too much trouble for most people to bother with each time when
they're used to single sign-on.
This isn't meant as harsh criticism but just some things that popped into my
head while I was trying to figure things out and implement everything.
Free blogging with MSN Spaces http://spaces.msn.com/?mkt=nl-be
More information about the yadis