Super all-comprehensive specs/overview page (fwd)
Brad Fitzpatrick
brad at danga.com
Mon Jun 27 08:31:00 PDT 2005
On Mon, 27 Jun 2005, Paul Crowley wrote:
> Martin Atkins wrote:
> > Regarding the identity delegation stuff, it says that in order to
> > declare delegation you must include the following:
> > <link rel="openid.server"
> > href="http://www.livejournal.com/openid/server.bml">
> > <link rel="openid.delegate"
> > href="http://bob.livejournal.com/">
>
> Eek. This wasn't what I had intended - in fact, I considered proposing
> this as a change, but decided not to. I had imagined that any given
> page would have at most one of these declarations, and that you'd follow
> the delegation chain until you got to a server declaration.
>
>
> The advantage of doing it this way is that the consumer makes fewer GET
> requests.
That's a big advantage!
> The disadvantage is that you have to be very careful - you're
> making an OpenID request for "http://bob.livejournal.com/" on
> "http://www.livejournal.com/openid/server.bml", but you mustn't assume
> that the latter is actually the idserver for the former, only that this
> pair is the (delegate, idserver) pair for "http://bob.com/".
>
> Otherwise you leave yourself open to a sort of cache poisoning attack
> like DNS. Given how hard it is to specify DNS so as to avoid cache
> poisoning attacks, I'm really nervous of doing things this way; I'll be
> amazed if we never see an implementation that gets this one wrong...
I don't see how it's any more or less work in either of the two cases from
a consumer point of view. (and it's absolutely the same (none) amount of
work for a server....)
In both cases the consumer needs to keep track of the starting point
(bob.com) in its return_to URL (or somewhere else) because the server will
only ever assert the final URL.
Sorry -- explain to me the problem you see? (or not, if you feel it's not
a big deal...?)
- Brad
More information about the yadis
mailing list