Non-HTML Links

Christopher Schmidt crschmidt at crschmidt.net
Wed May 18 06:55:25 PDT 2005 

On Wed, May 18, 2005 at 02:31:55PM +0100, Martin Atkins wrote:
> Christopher Schmidt wrote:
> 
> >  1. It leads to confusion over what you might be authenticating
> >  against. Even if I can be crschmidt at livejournal or
> >  crschmidt at deadjournal or crschmidt at plogs, I don't want to be all of
> >  those at once: I should pick one.
> >
> 
> Remember that you're not authenticating as "crschmidt at livejournal", 
> you're asking LiveJournal to assert that you are (for example) 
> http://crschmidt.net/. There's no implication that http://crschmidt.net/ 
> and http://crschmidt.livejournal.com/ are the same identity just because 
> they are both being asserted by the same server.

In this case, I'm either authenticating as "crschmidt at crschmidt.net"
or "crschmidt at livejournal": that's what crschmidt.livejournal.com is.
Where the identity server lies isn't the key there, just the assertion
being made.

> By specifying multiple ID servers on your site, you are saying "all of 
> these servers will tell you I'm http://crschmidt.net/". If you've listed 
> http://nastyspammer.net/openid and 
> http://www.livejournal.com/misc/openid.bml as your ID servers, the 
> consumer might have http://nastyspammer.net/openid on a blacklist of ID 
> servers that it doesn't trust but be okay with using LiveJournal.
> 
> Both would result in you appearing as http://crschmidt.net/, assuming 
> that those servers really do know you are you.

Undertstandable, I suppose. My main concern is the one you bring up
below,

> In the common case, where the consumer has no prejudice, it would be 
> free to use whichever it wants -- probably the first encountered.

That's what I'd like to encourage. If I can use whichever one I come
across, then I don't really mind, and you bring up a good point with
your evilspammer example.

> (we could also think about what happens if the ID server is temporarily 
> unavailable, but asking consumers to make a bunch of different HTTP 
> requests might be unreasonable/unsafe.)

This is my concern: I don't want to be expected to check all the
identities, for example, for fear of upsetting those servers, or for
time. My Python client takes a decent amount of time to do the
authentication: if you're dealing with an entirely server-side auth
process, fetching those hits is time that the user is sitting there
wondering what the hell is taking so long :)

(Yes, I realize that this is one of the reasons there's an AJAX-ified
interface, so clients don't just sit around, but javascript wizardry is
still black magic to me.)

-- 
Christopher Schmidt
"I don't work here, I just wish I did."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.danga.com/pipermail/yadis/attachments/20050518/3fd3180f/attachment-0001.pgp

More information about the yadis mailing list