Non-browser Identity Verification
Martin Atkins
mart at degeneration.co.uk
Fri May 20 05:18:38 PDT 2005
Brad Fitzpatrick wrote:
>
> So identity server only supports "Just this once" when it's a local
> service connecting.
>
> Maybe the return_to_url is:
>
> http://127.0.0.1:23423/MusicBrainz
>
> And then the identity server says:
>
> Do you want to trust the application "MusicBrainz" on your local
> machine to verify your identity?
>
> Neat, eh? :)
>
If this approach is taken, I motion to use the hostname "localhost"
rather than the IP address. Hardcoding that IP address restricts it spec
to be used with IPv4, and using IP addresses isn't really in the spirit
of HTTP anyway.
However, I suppose using the DNS does open up the possibility of an
unscrupulous admin arranging for "localhost" to resolve to something
else. I think, though, that if you can't trust your nameserver then
you've got bigger problems...
More information about the yadis
mailing list