Non-HTML Links

Christopher Schmidt crschmidt at crschmidt.net
Wed May 18 06:07:31 PDT 2005 

On Wed, May 18, 2005 at 10:06:35AM +0100, Martin Atkins wrote:
> As I understand it, currently the way to bind to an identity server is 
> through an HTML link element:
> 
> <link rel="openid.server" href="http://www.mydomain.com/openid" />
> 
> It seems a shame to bind Yadis to HTML, though. It would be nice (in my 
> opinion, at least) to provide a mechanism which binds any URL, whatever 
> media type it may point at, to an identity server.
> 
> The best I've come up with so far is the Link HTTP header, which 
> performs a similar purpose to the HTML LINK element. I don't think it 
> was ever formally standardised, but there exists a draft describing it:
>     <http://www.w3.org/Protocols/9707-link-header.html>

I grabbed the author this morning and asked him his thoughts on IRC: you
can see the short exchanged that followed in public logs[1].

I think that the spec makes it clear how it's to be used, and it's got a
well defined behavior, so I don't see any reason not to use it, even
without it being standardized.

> Some thought should also be given to what happens in the case where 
> there are multiple identity server links (HTTP or HTML), especially 
> where both the HTTP header and the HTML document specify different 
> servers. A given document could potentially have serveral identity 
> servers vouching for it, with the intention that the consumer will trust 
> one or more of them.

I don't think that a single document should reference more than one
identity server.

  1. It leads to confusion over what you might be authenticating
  against. Even if I can be crschmidt at livejournal or
  crschmidt at deadjournal or crschmidt at plogs, I don't want to be all of
  those at once: I should pick one.

  2. It leads to UI issues: How do I pick which identity server is mine?
  do I get a dropdown list before something tries to authenticat me? Is
  that extra step worth my while as a user? As a coder, is it worth it
  to even bother with the edge case?

  3. I should have at least a single page that describes each identity,
  whether it be a weblog, a homepage, or whatever. If I don't have a
  seperate page for it, and I can't make one, where is the information
  on the identity behind "crschmidt at example"?

I have a feeling that others will disagree, but I'm in support of the
"first server you come across is the right one".

[1] http://www.ilrt.bris.ac.uk/discovery/chatlogs/swig/2005-05-18#T12-53-38

-- 
Christopher Schmidt
"I don't work here, I just wish I did."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.danga.com/pipermail/yadis/attachments/20050518/775c450d/attachment.pgp

More information about the yadis mailing list