Two possible notable changes
Brad Fitzpatrick
brad at danga.com
Tue May 17 17:12:14 PDT 2005
C'mon Randy, we've had this discussion three times in the past two days:
LiveJournal user "attacker" also lists "http://bradfitz.com" as an
assertable URL.
LiveJournal user "attacker" goes to http://ydnar.com/ to leave a comment.
ydnar.com fetches bradfitz.com, sees the OpenIDServer is
http://www.livejournal.com/misc/yadis.bml
http://www.livejournal.com/misc/yadis.bml says "This is user attacker, and
attacker lists http://bradfitz.com as an assertable URL.
Dear attacker, says LJ, do you want to trust ydnar.com? Why yes I do,
says attacker.
LJ tells ydnar.com that attacker is http://bradfitz.com.
See?
So the point of the "Randy bug" (good name!) is that if an identity
authority is asserting to a URL that it doesn't directly also
control/own/create, then the external URL (bradfitz.com) must reference
the identity server with extra arguments to settle the dispute about who
the owner of bradfitz.com is --- bradfitz or attacker.
- Brad
On Tue, 17 May 2005, Randy Reddig wrote:
> I like simplification. This simplifies Yadis/OpenID down to a single <link> tag plus some implementation work on the ID server side.
>
> I'm not sure, however, that having the ID server link have a built-in unique identifier is necessary, simply because a user listing a root URL as "me" implements the bidirectional linking necessary:
>
> - LiveJournal user "brad" lists "http://bradfitz.com" as an assertable URL.
>
> - http://bradfitz.com has the following link:
> <link rel="OpenIDServer"
> href="http://www.livejournal.com/misc/yadis.bml">
>
> Technically, any user could list "http://bradfitz.com" as an assertable URL, but unless they /control/ "http://bradfitz.com", the user can't implement the bidirectional link.
>
> Besides, since the protocol says "add these args to the query string", it's nicer to have an ID server URL that doesn't have a query string on it already. Less stuff to implement and/or break.
>
> Does this make sense?
>
> y
>
>
> -----Original Message-----
> From: Brad Fitzpatrick [mailto:brad at danga.com]
> Sent: Tuesday, 17 May, 2005 16:37
> To: yadis at lists.danga.com
> Cc: Randy Reddig
> Subject: Two possible notable changes
>
> Couple things that may or may not happen soon here:
>
> 1) We're probably going to rename to OpenID, since the OpenID.net people
> are offering their domain name. Thanks! Much love.
>
> We all hate the yadis name anyway. Yet Another? So blah.
>
> And after fighting it initially, I think one of my co-workers and some
> of the Technorati folk are convincing me:
>
> 2) We may drop the FOAF bit altogether, and just assert root URLs.
> This makes sure we don't bind Yadis/OpenID to the "semantic web
> XML flavor of the day" and get only 33% of the semantic web
> posse behind us, and 25% next month, and 10% next month, as they
> slowly move to the next format... FOAF, vCard, hCard, XFN, etc.
> I don't really want to choose my gang colors, ya know? I don't
> much care.
>
> People writing a trust system on top of this can work
> from the ugly HTML (or maybe it's XHTML by then, hah) and use
> some or all of FOAF, hCard, XFN, etc.
>
> So LiveJournal for user "bob" would positively assert the follow
> root URLs as being owned by bob:
>
> http://www.livejournal.com/users/bob/
> http://www.livejournal.com/~bob/
> http://bob.livejournal.com/
>
> And for those geeks out there with their own domain names (yes, I'm
> one, and you're one, but we're not the common case), you either run
> your own identity server, or you use somebody else's that's paranoid.
> For example, LiveJournal's would only assert off-site URLs which
> come to us with a rel="me" type of deal (not using XFN) as we currently do,
> with ljuser_sha1=9233b6f5388d6867a2a7be14d8b4ba53c86cfde2
>
> Meaning that site, however it referred to us, referred to us saying
> that it's user "brad" at LiveJournal, and LiveJournal as its identity
> authority should only assert it if brad is the one logged in. That
> way user "attacker" on LiveJournal can't also add the same offsite
> URL to his external list, because he doesn't control that URL's content.
>
> The embedding method may be:
>
> <link rel='identity_server' href="http://www.livejournal.com/misc/yadis.bml?ljuser_sha1=9233b6f5388d6867a2a7be14d8b4ba53c86cfde2" />
>
> Somebody tell me the right way. I don't much care.
>
> FOAF's advantage was that its URL resolved to machine-readable content,
> but any client using it would've had to parse the FOAF and find the URL
> to show to an end user, because FOAF won't even render in a browser
> with its recommended mime-type, and looking at a DHTML XML tree in a browser
> sucks anyway from a user-experience standpoint.
>
> A root URL's advantage is that it's probably more stable, if FOAF becomes
> less hip, and that users can just click it, and trust graph crawlers can
> use everything in the HTML to do their metrics. Notable, if an assertion
> was made that a user is:
>
> http://bradfitz.com/
>
> And bradfitz.com links as its FOAF:
>
> http://bradfitz.com/foaf.xml
>
> That FOAF can be trusted based on it being under that original URL. But
> if the bradfitz.com link rel points to a FOAF on another domain, that
> FOAF can't be trusted unless it contains, say, an XFN rel="me" pointer
> back to the asserted domain.
>
> But end-users don't care about that. We'll leave that to the trust metric
> crew. We'll build a list of best practices and name each security gotcha
> so when we see a tool doing something stupid we say, "Yo, Graph-o-matic,
> you're victim to the That-FOAF-was-never-asserted bug!" and have a link for
> them.
>
> Best practice for end users (and tool vendors) is that FOAF files are under
> the asserted root, and linked from the root as well, so when the client app
> is crawling the HTML for that identity server rel tag, it can come back at
> the same time and give the FOAF URL at the same time (only if it was under!)
> and say, "yo, here's the identity server, and if this 'bradfitz.com' URL is
> asserted, you might want to know this FOAF file would therefore also be
> asserted, so you can safely link/parse it for some good info."
>
> Did I lose you all?
>
> The point is to make Yadis/OpenID generic and future-proof.
>
> Can I get some +1 and -1 from the audience? -1 with comments,
> preferrably.
>
> - Brad
>
More information about the yadis
mailing list