YADIS as an abstraction layer

Granqvist, Hans hgranqvist at verisign.com
Tue Nov 1 13:14:41 PST 2005

I like the general idea you describe here. 

I'm just coming up to speed on the numerous identity ideas discussed
on the list, so bear with me, but one thing intrigues me: the reliance of 
underlying HTML. The protocol is defined as HTTP URLs. Why depend
on HTML parsing abilities? We could rely on HTTP header fields to carry 

Martin's use of the Accept header is a good showcase for how to remove 
the requirement of HTML parsing. The capabilities formats discussed 
are expressable in an HTTP header. If existing HTTP1.1 headers are not 
enough, 'x-' style headers can be used. Makes any sense?

Similarly, can we not use HTTP redirects instead of putting delegation
information in <HEAD>? 

Secondly, about the capability description document: It seems risky to
have identity leaking through (a username can tell a lot  -- and quite a 
few people base passwords on the username too). I think there is a real
risk here.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.danga.com/pipermail/yadis/attachments/20051101/1095e0f0/attachment.html

More information about the yadis mailing list