DNS spoofing and poisoning..

Mark mark at nullcraft.org
Sat May 21 14:40:47 PDT 2005

Brad Fitzpatrick wrote:

>The point of OpenID is to be dead simple, short-comings and all, so it's
>actually adopted.  Things like comment-signing, priviledge passing, etc.,
>can all be added on later atop the authentication phase, decided between
>parties that support it, later formalized as some sort of defacto
>extension.  (to this defacto "spec")  For instance, we'll probably ask
>sites like Flickr that post to LJ by taking LJ user's passwords to give us
>their RSA public key in the auth request, and ask for "atom-post"
>privileges, and we'll encrypt and send back a priviledge token then can
>use for one time or some short period of time to only post to LJ.  And
>that's all not part of OpenID... but something we'll layer on later, and
>make available to anybody who wants to use it.
To this point, once the basic OpenId spec is solidified, the doors do 
open up quite a bit for adding extentions.  I've pondered many of them 
already.  I suppose it would only complicate matters to be considering 
them at this point, though.  It would be nice to address the needs of 
facilitating such privilege/service exchanges.  I am happy, however, 
that you're already thinking about "atom-post" privileges and public key 
exchanges  :D


More information about the yadis mailing list