Non-browser Identity Verification

Evan Martin evan.martin at
Wed May 18 15:42:45 PDT 2005

On 5/18/05, Brad Fitzpatrick <brad at> wrote:
> Okay, I think I hear you now.  Not all client apps (consumers) will use an
> HTTP library that uses the "system's" cookies, which is unreliable anyway,
> since what browser is the system one?  But you're still going to invoke
> their default browser anyway, right, to send them to their homesite to do
> their auth?  Otherwise they're giving their password to the consumer app,
> which is scary.
> So shit, the local webserver actually is sounding nice.

They've already given their password-equivalent to an app running on
the same system: their web browser.  Can Mozilla somehow protect
~/.mozilla/firefox/profile/cookies.txt from being read by an external
application?  I don't buy this.

I agree with the concern that too much implementation here will
needlessly complicate things, but designing a reasonable client API is
crucial if you intend for the service to be useful beyond browsers.

More information about the yadis mailing list