Browser Login Plugin
Ben Nolan
bnolan at gmail.com
Thu May 19 16:59:41 PDT 2005
Hi Sam,
Just a clarification - consumers wouldn't be sending signed requests to the
ID server, the consumers would only send signed requests to other
webservices. This is so that you can log into your typepad account and tell
typepad that you trust the following sites to post to your weblog.
* flickr.com <http://flickr.com>
* 43things.com <http://43things.com>
* foopad.com <http://foopad.com>
Then whenever you choose "post to blog" from flickr, flickr will generate
the metaweblog post, calculate and attach the signature to the query string,
and then make the post to typepad. That way you don't have to enter your
typepad password at flickr, you just tell typepad that you trust flickr.
Actually - upon further thinking about it - this kind of webservice
authentication doesn't need to be part of OpenID. It'd be cool to be part of
OpenID to ride it's coat-tails - but there's no need for the identity server
to keep track of public key URLs.
You can put this idea in the *wishlist* category. :)
Ben
On 5/20/05, Sam Kramer <slambo2001 at gmail.com> wrote:
>
> Instead of public keys, what if the OpenID server randomly generates a
> small key, and tells the consumer to use it to encode the trackback?
> I like this better than having optional public keys for consumers
> because instead of the consumer having the decision about securing
> what they send, the OpenID server has the decision about requiring
> what they receive to be secure. If the server doesn't care about the
> security, it shouldn't have to put up with decrypting the trackback
> info.
>
> Hope this makes some sense.
> -Sam
>
> On 5/19/05, Ben Nolan <bnolan at gmail.com> wrote:
> >
> > (I'm ashamed of my url to private key idea) ;)
> >
> > > If consumers had private keys (which would suck as a requirement...
> too
> > > much pain), then what do they get from signing a trackback? What does,
> > > say, LiveJournal benefit from getting a trackback that's singed from
> > > someblog.com <http://someblog.com>? That we know it came from someblog
> and can trust it? We
> > > can't trust the contents... so that the origin is correct? I'm not
> > > bashing this idea... I just don't fully understand what's being
> > > verified/protected.
> > >
> >
> > We're verifying that the comment came from someblog. And we trust
> someblog
> > to *some extent* (because we shared our identity with it) - so we'll
> trust
> > it enough to post a trackback to a comment we made. The purpose of this
> is
> > that we can recieve notification of comments that we post in the
> > 'blogosphere', so that I an keep a track of comments I make.
> >
> > The consumer could also use their public key to sign any posts they send
> to
> > my weblog, so my identity server could tell my wordpress install to
> trust
> > someblog - then if our atom api recieves a request with the querystring
> > params openid.trust_root=http://someblog/&openid.sig=...
> > it'd know to accept that post.
> >
> > It just seems a simple way to let consumers identify themselves to
> services
> > other than the identity server.
> >
> > And the public key would be *totally* optional for consumers, but if we
> add
> > a recommendation that ID servers record the URLs to consumers public
> keys,
> > it gives us lots of flexibility with no additional work for consumers,
> and
> > minimal extra work for ID servers.
> >
> > Hope that makes more sense this time.
> >
> > Ben
> >
> > _______________________________________________
> > yadis mailing list
> > yadis at lists.danga.com
> > http://lists.danga.com/mailman/listinfo/yadis
> >
> >
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.danga.com/pipermail/yadis/attachments/20050520/a4d6764e/attachment.html
More information about the yadis
mailing list