Non-browser Identity Verification

Brad Fitzpatrick brad at
Wed May 18 12:25:13 PDT 2005

With the local webserver hack, I'm not willing to extend the
otherwise-simple protocol for some weird case.

No identity servers will support the weird case, and therefore all the
consumer desktop apps that want to work with OpenID will do the local
webserver hack anyway, perpetuating the demise of your "raw" mode.

- Brad

On Wed, 18 May 2005, Martin Atkins wrote:

> Brad Fitzpatrick wrote:
> >
> > Okay, I think I hear you now.  Not all client apps (consumers) will use an
> > HTTP library that uses the "system's" cookies, which is unreliable anyway,
> > since what browser is the system one?  But you're still going to invoke
> > their default browser anyway, right, to send them to their homesite to do
> > their auth?  Otherwise they're giving their password to the consumer app,
> > which is scary.
> >
> I did lots of thinking about giving the username and password to the
> app, but I concluded that it doesn't really matter that much. The user
> can decide whether or not to trust the software, just like the user
> trusts that his email client will not send his email password off to
> some collector site, or that a LiveJournal desktop client won't do
> similarly.
> Paranoid people can just not use any software which demands their passwords.
> _______________________________________________
> yadis mailing list
> yadis at

More information about the yadis mailing list