Blog URI, is it necessary?

Brad Fitzpatrick brad at
Fri May 20 10:15:52 PDT 2005

On Fri, 20 May 2005, Ben Hyde wrote:

> On May 20, 2005, at 12:01 PM, ydnar wrote:
> > An OpenID server is vouching for the person using the browser,
> > asserting they own/control the input URL.
> Must it to do both?
> > Alice needs to provide a unique URL that she has implied control over.
> > This keeps a 1:1 mapping between a URL and a "user." LiveJournal can't
> > go around asserting for everyone.
> What would that break?
> Longer form: what would break if the returned openid.assert_identity
> wasn't identical to sent openid.is_identity?

Up to the consumer, but it's bad behavior on the identity server's part
because the consumer will probably reject it.

-- user enters identity URL in a comment form

-- presses validate, does AJAX validate and puts the digest in a hidden
   form field

-- presses submit

-- server-side process validates signature, gets public key from identity
   server, validates (probably from cache) that the identity URL provided
   does point to the identity server that was hit.  Now, even if the
   identity server gave returned a differnet identity URL, and even
   if that alternative identity URL pointed at the identity server,
   the application MIGHT not have updates its identity URL form field
   when the identity server returned.  it might have only stashed away
   in hidden fields the timestamp and signature.

So guys, what should be the recommendation here?  We have to tell
consumers in the spec whether or not they should be prepared for the
assert_identity value changing.

- Brad

More information about the yadis mailing list