external trust roots

ydnar ydnar at shaderlab.com
Wed May 18 08:49:10 PDT 2005

Brad and I have talked about this face to face, so I'll mention it here 
so everyone can hammer on it. The "ambiguous loop problem" needs 
something in the openid.server URL that clearly ties the external (to 
LiveJournal, in this example) URL to be asserted to a specific user.

Brad mentioned a salted SHA-1 hash of userid that LJ would require to 
assert an external URL as one solution. Another option would be to pass 
along an additional URL argument "openid.assert_also" when the client 
discovers another named link in the page. For instance, I would put the 
following <link> on my site http://shaderlab.com/:

<link rel="openid.server" 
href="http://www.livejournal.com/misc/openid.bml" />

In addition to:

<link rel="openid.also" href="http://ydnar.livejournal.com/" />

This is similar to the XFN rel="me" type here: http://gmpg.org/xfn/11

Without the assert_also argument, the OpenID server would refuse to 
assert the external assert_identity URL.

Hammer away...

More information about the yadis mailing list