using the identity url to contain a key fingerprint

Martin Atkins mart at degeneration.co.uk
Wed May 25 06:51:05 PDT 2005 

Okay. I think I see what you're getting at this time.

I agree with you to a certain extent. OpenID is very specific to a 
single use case and methodology. However, its advantage is that it works 
*today* without any major changes to client software or a major learning 
curve for users, and it is already capable of solving the particular 
problem it was originally designed to solve: "Is this user Bob that has 
posted on my site today the same Bob who posted last week, and the same 
Bob who posted on Joe's site?"

Jean-Luc Delatre wrote:
> 
> - *These* requirements can be very easily fullfilled by using a public 
> key system and stating that
>  the user ID *is* the public key!!!
> 
> - In order to authenticate a login the website just need to ask the 
> client side to sign some piece of text
>  with his secret  key, thus also providing along his public key which 
> *is* the sought for user  ID.
>  Et voila!!!
> 

I would *love* to see a proper public-key based login system as you 
describe. I've been going around telling everyone what a great idea it 
is for a long time. However, there is no way to do that without 
modifying the client, and the client is a big, heavy, immovable object: 
everyone uses a different client, and many people will never upgrade it. 
Most importantly, there are millions of clients!

OpenID provides a working solution which works for websites today. It 
does not provide a magic bullet for authentication needs in every 
scenario by any stretch of the imagination, and it can in many respects 
be described as a "giant hack", but it's a hack that works.

Most of our discussions here have been about refining the system and 
attempting to make it more general or more secure without losing the 
simplicity, which I think is a good goal.

To address your final point:
 > If the deployment is awkward it will not take off, YOU WILL BE
 > SCREWED...

I'd would argue that deployment of a client-only public-key system would 
be far more awkward than OpenID, which requires only a change to the 
server. There are far more clients than there are servers. I think 
OpenID's simplicity is its primary virtue, actually.

However, even if for some reason this doesn't take off beyond 
LiveJournal+clones and Movable Type/TypeKey it's already being used by a 
very large portion of the "weblog" community, which was what it set out 
to do in the first place.

All the best,
-Martin

More information about the yadis mailing list