capabilities lookup

Ernst Johannes jernst+lists.danga.com at netmesh.us
Sun Nov 20 17:34:31 PST 2005 

My understanding is that Brad did not choose this approach ("parse  
content found in HTML BODY") because many home pages / blogs allow  
comments, and a malicious commenter could thus get the home page to  
point to an incorrect OpenID identity server. His thought was that  
this attack does not work for HTML HEAD content and thus picked that  
one for OpenID.

The argument is the same for YADIS, I believe.

There's a second problem: the granularity of the exposed capabilities  
is very coarse, and at least I for my part would like it to be more  
fine-grained, so that somebody could say "I support OpenID auth, and  
LID auth messaging, and XYZ Profile exchange" in arbitrary  
combinations, rather than having to accept or reject entire stacks at  
a time.




On Nov 20, 2005, at 12:18, Joaquin Miller wrote:

> Here is the proposal I promised a week or so ago.  It is timely  
> now, after Michael's discussion.
>
> We all agree on one design principle: The solution must maximize  
> the chances of rapid, widespread adoption.
>
> And we all agree that, given the other design principles (we may  
> not all agree on all of those), this means it must be extremely  
> easy for an individual to set up and maintain their own identity  
> server (whether in their own bedroom closet, at their ISP, or  
> wherever).
>
> Sadly, all four of the alternatives at http://yadis.org/wiki/ 
> Draft-002 flunk.
>
> I thought to start from what is simplest and most universal for an  
> individual who wants to set up and maintain their own identity  
> server.  I came up with: placing text on a web page.
>
> The obvious convention is to include magic text on the YADDIS page  
> ( http://yadis.org/wiki/Terminology):
>
>     <p>I do XRI.</p>
>     <p>I do OpenID.</p>
>     <p>I do mIDm.</p>
>     <p>I do LID.</p>
>
> ...
>
> I don't hear the crowd cheering.
>
>
>
>
>
> Then I thought: Wouldn't someone who had a YADIS URL be a proud as  
> can be?  And wouldn't they want to root for the home team?
>
> So I thought a user of a YADIS URL would have one or another of the  
> YADIS logos on their YADIS page.
>
> Logos like:
>   the OpenID ID
>   the LID lozenge
>   perhaps the OASIS swirly-thingie or the XDI ><DI
>   or simply the text, mIDm
>
> Since we don't want YADIS relying parties scanning for images, we  
> would expect a URL behind the image:
>
> http://openid.net/
> http://lid.netmesh.org
> http://www.oasis-open.org/committees/xri
>   or, for examples, http://www.xdi.org/ , http://public.xdi.org/ or  
> http://public.2idi.com/
>
> People not up to something as complicated as an image with a link  
> behind it can simply put the text on their YADIS page.
>
> The parsing of the YADIS page will be trivial.  Just scan for one  
> or more of the strings.
>
> I post this in the hope it will inspire some additional ideas.
>
> If we can get past this being 2 clunky 2 believe, and still don't  
> like it,
> then the next step is to come up with something better, ...
>
> but not too much better: something that satisfies Michael's design  
> principles.
>
> Cordially, Joaquin

Johannes Ernst
 http://netmesh.info/jernst




Johannes Ernst
 http://netmesh.info/jernst



-------------- next part --------------
Skipped content of type multipart/related

More information about the yadis mailing list