YADIS as an abstraction layer

Martin Atkins mart at degeneration.co.uk
Tue Nov 1 13:40:18 PST 2005

Granqvist, Hans wrote:
> I'm just coming up to speed on the numerous identity ideas discussed
> on the list, so bear with me, but one thing intrigues me: the reliance of 
> underlying HTML. The protocol is defined as HTTP URLs. Why depend
> on HTML parsing abilities? We could rely on HTTP header fields to carry 
> info. 

The indirection through HTML, just as in OpenID, is simply a case of
"let's be realistic, here!"

Most human-readable things on the web are HTML. People are familiar with
HTML. There are lots of people that can write HTML but don't even know
what HTTP headers are, let alone how to change them.

Allowing people to turn their homepage into an OpenID identity just by
copying a bit of code into their document significantly lowers the
barrier of entry, so much so that within minutes of its announcement on
LiveJournal people were logging in "as their website" and leaving comments.

Sure, it's not ideal from a technological perspective, but
pie-in-the-sky pure implementations that don't pay any mind to current
realities rarely get very far.

> Secondly, about the capability description document: It seems risky to
> have identity leaking through (a username can tell a lot  -- and quite a 
> few people base passwords on the username too). I think there is a real
> risk here.

This is an intreiguing observation. I'm a little taken aback by it since
people share usernames all the time. Do you have a solution in mind?

Nonetheless, the usernames seen here are specific to two of the made-up
capabilities I picked as examples, and are therefore not part of YADIS
itself. Depending on the protocol at hand, it could just as well be
replaced by some kind of opaque numeric token.

More information about the yadis mailing list