external trust roots

Brad Fitzpatrick brad at danga.com
Wed May 18 09:38:13 PDT 2005 

Good description.  The pictures later today (if I get them made) will help
explain some of these confusing cases.

So perhaps make "openid.also" (good name) a requirement, for the case
where you don't mind saying clearly who your linked identity is, and let
the case where you're using somebody else's identity server and don't want
to advertise who you are at that identity server be the
identity-server-specific case with extra URL arguments, like I'm currently
doing with ljuser_sha1=xxxxxxxxxxxxxx ?

But I'm afraid that if only 5% of people have openid.also specified,
only 20% perhaps of identity consumers will check for it.  So I almost
like just making it a URL parameter instead:

http://bradfitz.com/ says:

<link rel="openid.server" href="http://www.livejournal.com/misc/openid.bml?openid.also=http://www.livejournal.com/users/brad/" />

The spec already says not to destroy existing GET arguments, and I
think that'll be far more common to get right.

Actually, to force consumers to do it right, I'm tempted to make
LiveJournal pages be this:

<link rel="openid.server" href="http://www.livejournal.com/auth/?type=openid" />

So if they leave off the type=openid, it all fails.

- Brad


On Wed, 18 May 2005, ydnar wrote:

> Brad and I have talked about this face to face, so I'll mention it here
> so everyone can hammer on it. The "ambiguous loop problem" needs
> something in the openid.server URL that clearly ties the external (to
> LiveJournal, in this example) URL to be asserted to a specific user.
>
> Brad mentioned a salted SHA-1 hash of userid that LJ would require to
> assert an external URL as one solution. Another option would be to pass
> along an additional URL argument "openid.assert_also" when the client
> discovers another named link in the page. For instance, I would put the
> following <link> on my site http://shaderlab.com/:
>
> <link rel="openid.server"
> href="http://www.livejournal.com/misc/openid.bml" />
>
> In addition to:
>
> <link rel="openid.also" href="http://ydnar.livejournal.com/" />
>
> This is similar to the XFN rel="me" type here: http://gmpg.org/xfn/11
>
> Without the assert_also argument, the OpenID server would refuse to
> assert the external assert_identity URL.
>
> Hammer away...
>
>
> _______________________________________________
> yadis mailing list
> yadis at lists.danga.com
> http://lists.danga.com/mailman/listinfo/yadis
>
>

More information about the yadis mailing list