Blog URI, is it necessary?
Ben Hyde
bhyde at pobox.com
Mon May 23 11:35:59 PDT 2005
On May 20, 2005, at 1:21 PM, Martin Atkins wrote:
> Ben Hyde wrote:
>>> Alice needs to provide a unique URL that she has implied control
>>> over. This keeps a 1:1 mapping between a URL and a "user."
>>> LiveJournal can't go around asserting http://livejournal.com for
>>> everyone.
>> What would that break?
>> Longer form: what would break if the returned openid.assert_identity
>> wasn't identical to sent openid.is_identity?
>
> That would turn the question from "Is Alice and LiveJournal logged
> in?" to "Which LiveJournal user is logged in?".
>
> There's a privacy concern there, which is why you are required to ask
> for a particular user.
Interesting. When the user enters her URL she is granting permission
to the site to attempt to authentication. Sites might be tempted to
auth without permission. They might guess her URL, either because
it's not particularly unique or because they found it via some back
channel. hm.
- ben
----
http://enthusiasm.cozy.org http://gibbon.cozy.org
tel:+1-781-240-2221
I forecast sunny weather!
More information about the yadis
mailing list