OpenID, YADIS and Directed Identity

Michael Graves mgraves at
Sun Feb 12 19:48:53 UTC 2006

Martin Atkins <mart <at>> writes:

> Michael Graves wrote:
> > 
> > What would be need to support this? The only change that I can think of 
> > be that the relying party would not require the "input" login URL to be the 
> > same as the "output" login URL. If I can start by entering "", 
> > choose one of a number of personae that I control, including a one-time 
> > that I made up on the fly just for this login, as long as the OpenID (or 
> > your favorite protocol here) consumer evaluates the *output* URL I think it 
> > works out. As it is, OpenID is expecting (cryptographically) a match on the 
> > input URL.
> > 
> So I enter my identity URL as and my identity server
> tells the relying party "The remote user is".
> What have I gained here? They know I originally entered
>, so they can tell that the two correlate.
> I'm obviously missing something.


Josh answered this in his reply, and I sort of did in my reply to him (mixed in 
with running on about a bunch of other things), but just so we're clear, in my 
scenario, you wouldn't enter "" at the initial login, screen. 
Instead you would only enter "". At this point, then, the replying 
part only knows you are somehow attached to "".  You are then 
redirected (302) to's login page.  Unlike the current scenario, 
the identity server ( has at this point no idea who you are, so 
instead of asking just for your password and presenting the "user" field 
already filled out, you would need to specify your user name at's 
login screen as well.

Once you've established who you are to, the identity server can do 
whatever you want, given your preferences. If so instructed, can 
create a new (nearly) random user ID for you to use an (directed identity) 
alias, or if you want it could choose any of your available existing personae - 
your blog URL, or some other.

In the case of directed identity, then, you enter "", get directed 
there, login as "mart", indicate you want a new "on the fly" alias created for 
this trust relationship, and submit the form. The server returns 
to the calling relying party with your ID specified 
as "" - an ID that was created specifically and only for 
your relationship with this relying party.

Hope that makes the difference clear. It's just a small twist from the way 
OpenID works right now, but it would be a useful facility to have available, I 


More information about the yadis mailing list