Some questions from a "Newbie"

Brad Fitzpatrick brad at danga.com
Wed Sep 14 09:01:28 PDT 2005


On Wed, 14 Sep 2005, Lukas Leander Rosenstock wrote:

> Hello everybody!
> I've just found out about the OpenID project yesterday and I really like
> it, just recently thought about something like this, too. It took me
> some time to understand the specs but now I've got the point. In the
> next weeks I will try to implement first a consumer and then a server as
> an ISAPI-DLL in Borland Delphi (of course letting you know).
> I have some questions about the specs, I hope they haven't been on the
> list before (just scanned the archives quickly):
> 1) Why do you need openid.delegate? One could just tell his account on a
> service, lets call it "openidserver.com", to accept "mydomain.com" as
> login URL. Of course this is possible with the current specs but they
> say this is discouraged. Is it for privacy reasons (not letting
> "openidserver.com" know that I use them to verify "mydomain.com")?

Mostly to improve cachability of shared secrets.  See the archives.

> 2) For the communication between consumer and server, why not use
> XML-RPC instead of this plain POST-request and the key/value-pairs? I
> believed, just thinking about Pingback, this is the way to go for
> communication between servers.

Discussed to death.  :-)  See the archives.  Mostly to not put ourselves
in the current XML-format-du-jour camp.  XML formats comes and go pretty
fast, and plain POST has wider acceptance, and is easier to sign, without
pulling XML-SIG, etc.

> 3) How long should an assoc_handle and an associated mac_key work, in
> other words what's a "suggested" value for expires_in? Minutes, days,
> weeks, months, years?

A week or two probably.

> Sorry for all of these questions, I hope someone finds the time to
> answer them!

No prob.  Good luck with your project.

- Brad


More information about the yadis mailing list