Super all-comprehensive specs/overview page (fwd)
paul at ciphergoth.org
Mon Jun 27 09:35:20 PDT 2005
Brad Fitzpatrick wrote:
> The alternative is to ditch openid.delegate altogether, which I'm still
> fine with. The advantage was cache efficiency, but I could make LJ users
> who want to use OpenID on external sites have a new <link rel='...'> that
> isn't part of the spec and not munge up teh openid.server URL endpoint at
> all. I just wouldn't let an LJ user declare an external site as theirs
> unless LJ was able to crawl it (once) and find their LJ link rel tag.
I prefer keeping openid.delegate, so I guess we can keep things as they
are and I'll change my example generator to reflect the new spec. The
spec should explicitly warn against this poisoning attack. It is
simpler to prevent than DNS cache poisoning.
Do the examples look right apart from that?
\/ o\ Paul Crowley, paul at ciphergoth.org
More information about the yadis