glyph at divmod.com glyph at divmod.com
Tue May 17 10:45:09 PDT 2005

On Tue, 17 May 2005 10:22:01 -0700 (PDT), Brad Fitzpatrick <brad at danga.com> wrote:
>Does it rely on SSL?
>I started with the assumption that SSL would be a major roadblack for most
>do-it-yourselfers running blogs, and those do-it-yourselfers would be key
>for something distributed to be adopted.

It relies on SSL, but the protocol that uses SSL is not HTTP, and all SSL interactions are automated.  Your server certificate is automatically created, and it includes the tools for user certificate signing.  As far as the user's concerned the SSL certificate for the non-browser-based tool is just a fancy version of a cookie.  You do:

    % q2q authorize myaccount at mydomain.com
    Password: ****

and now you're "Logged In to the internet" and all subsequent operations use this signed certificate, regardless of what server you're connecting to.  Do-it-yourselfers just run the server and it automatically creates a database to remember other peoples' certificate hashes and negotiate user credentials with other domains it knows about.

For the browser-based stuff, SSL is totally optional - in fact, I haven't even written the bit that would do authorization using client certificates with a browser, though it's certainly possible (and preferable in situations where security is really important).  The servers are speaking a (non-HTTP) protocol on the back-end which is basically transparent to the DIY'ers web server setup.

More information about the yadis mailing list