YADIS as an abstraction layer
Granqvist, Hans
hgranqvist at verisign.com
Tue Nov 1 13:14:41 PST 2005
I like the general idea you describe here.
I'm just coming up to speed on the numerous identity ideas discussed
on the list, so bear with me, but one thing intrigues me: the reliance of
underlying HTML. The protocol is defined as HTTP URLs. Why depend
on HTML parsing abilities? We could rely on HTTP header fields to carry
info.
Martin's use of the Accept header is a good showcase for how to remove
the requirement of HTML parsing. The capabilities formats discussed
are expressable in an HTTP header. If existing HTTP1.1 headers are not
enough, 'x-' style headers can be used. Makes any sense?
Similarly, can we not use HTTP redirects instead of putting delegation
information in <HEAD>?
Secondly, about the capability description document: It seems risky to
have identity leaking through (a username can tell a lot -- and quite a
few people base passwords on the username too). I think there is a real
risk here.
Thanks,
Hans
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.danga.com/pipermail/yadis/attachments/20051101/1095e0f0/attachment.html
More information about the yadis
mailing list