external trust roots
ydnar
ydnar at shaderlab.com
Wed May 18 08:49:10 PDT 2005
Brad and I have talked about this face to face, so I'll mention it here
so everyone can hammer on it. The "ambiguous loop problem" needs
something in the openid.server URL that clearly ties the external (to
LiveJournal, in this example) URL to be asserted to a specific user.
Brad mentioned a salted SHA-1 hash of userid that LJ would require to
assert an external URL as one solution. Another option would be to pass
along an additional URL argument "openid.assert_also" when the client
discovers another named link in the page. For instance, I would put the
following <link> on my site http://shaderlab.com/:
<link rel="openid.server"
href="http://www.livejournal.com/misc/openid.bml" />
In addition to:
<link rel="openid.also" href="http://ydnar.livejournal.com/" />
This is similar to the XFN rel="me" type here: http://gmpg.org/xfn/11
Without the assert_also argument, the OpenID server would refuse to
assert the external assert_identity URL.
Hammer away...
More information about the yadis
mailing list