Super all-comprehensive specs/overview page

Paul Crowley paul at
Mon Jun 27 01:02:32 PDT 2005

Martin Atkins wrote:
> Regarding the identity delegation stuff, it says that in order to
> declare delegation you must include the following:
> <link rel="openid.server"
>       href="">
> <link rel="openid.delegate"
>       href="">

Eek.  This wasn't what I had intended - in fact, I considered proposing 
this as a change, but decided not to.  I had imagined that any given 
page would have at most one of these declarations, and that you'd follow 
the delegation chain until you got to a server declaration.

The advantage of doing it this way is that the consumer makes fewer GET 
requests.  The disadvantage is that you have to be very careful - you're 
making an OpenID request for "" on 
"", but you mustn't assume 
that the latter is actually the idserver for the former, only that this 
pair is the (delegate, idserver) pair for "".

Otherwise you leave yourself open to a sort of cache poisoning attack 
like DNS.  Given how hard it is to specify DNS so as to avoid cache 
poisoning attacks, I'm really nervous of doing things this way; I'll be 
amazed if we never see an implementation that gets this one wrong...
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list