Progress and some thoughts

Nathan D. Bowen nbowen+yadis at
Tue Jun 21 14:02:51 PDT 2005

meepbear * wrote:

> They just need to exchange keys, but the UA can accomplish that and 
> still be unable to spoof approval.

I don't follow -- if my consumer gets the server's key from the UA, how 
do I know that a server was involved at all?

The whole point of having the UA bring back a *signed* verification 
token is to verify that the token originated at the server. In order for 
the signature to mean anything, we have to be reasonably convinced that 
only the server and the consumer know the secret key.

> The part where the server asks the user to confirm that they want the 
> consumer to ID them seems unnecessary? Since I need to supply an URL 
> and click a button, that would constitute approval already?

It may feel unnecessary in the "legitimate" case when you did supply a 
URL and click a button.

On the other hand, the server doesn't know that you supplied a URL and 
clicked a button. Maybe you thought you clicked "About Us" on my 
website, but my website redirected you to livejournal without your 
asking, in an attempt to figure out who you were. So, if you show up at 
the server with a request to give your identity to a server you've never 
approved before, the only safe thing for the server to do is to stop and 
make sure you know what's happening.

> Having to go through three forms (type in URL, server login and 
> consumer approval) to confirm ID seems like too much trouble for most 
> people to bother with each time when they're used to single sign-on.

Hopefully real-life implementations will ensure that some of these steps 
don't happen _each_ time -- only the first time.

For example, just like a website can give your browser a "remember me" 
cookie, a website could give you a "remember my OpenID" cookie. That 
cookie would say "from now on, if I'm not logged in, automatically log 
me in using the same OpenID I used last time". So if you hit OtherSite 
before logging in -- but yesterday you changed your OtherSite 
preferences to say that you want to automatically log in with your 
LiveJournal OpenID identity -- OtherSite would:
    1) notice your cookie
    2) look up your OpenID
    3) forward you to LiveJournal
    4) receive the response from LiveJournal
    5) log you in

Assuming you were already logged into LiveJournal and you'd already told 
LiveJournal that you trust OtherSite, all you'd have to do is wait a few 
extra seconds for the automatic OpenID login to happen.

More information about the yadis mailing list