Canonical ID

Martin Atkins mart at
Fri May 20 04:59:08 PDT 2005

Ask Bjørn Hansen wrote:
> On May 20, 2005, at 3:18, Martin Atkins wrote:
> Isn't it a pain (and/or flaky) to do that safely?  The consumer would  
> have to check the new URL/ID the identity server gives you.   (Or I'd  
> have my rogue ID server respond with when I told the  
> consumer

The consumer has to effectively check this anyway. The last stage in 
validation is for the server-side code in the consumer to fetch the 
identity URL, find the identity server and request the public key.

If my rougue ID server "canonicalizes" to, (presumably) won't list my ID 
server and thus the consumer will get the wrong server key and the token 
validation will fail.

More information about the yadis mailing list