Super all-comprehensive specs/overview page (fwd)

Paul Crowley paul at
Mon Jun 27 09:35:20 PDT 2005

Brad Fitzpatrick wrote:
> The alternative is to ditch openid.delegate altogether, which I'm still
> fine with.  The advantage was cache efficiency, but I could make LJ users
> who want to use OpenID on external sites have a new <link rel='...'> that
> isn't part of the spec and not munge up teh openid.server URL endpoint at
> all.  I just wouldn't let an LJ user declare an external site as theirs
> unless LJ was able to crawl it (once) and find their LJ link rel tag.

I prefer keeping openid.delegate, so I guess we can keep things as they 
are and I'll change my example generator to reflect the new spec.  The 
spec should explicitly warn against this poisoning attack.  It is 
simpler to prevent than DNS cache poisoning.

Do the examples look right apart from that?
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list