OpenID, YADIS and Directed Identity

Drummond Reed drummond.reed at
Mon Feb 13 06:17:06 UTC 2006


We in XRI-land got the same feedback about the need for unidirectional
identifiers for single sign-on last fall. And we came up with the same
solution -- see my blog post at:

I think it applies to XRIs, URLs, or any other identifier technology. One
caveat I'll point out, though: this technique only works if there are a
sufficiently large enough set of identifiers issued by the identity service
provider (in your example, Otherwise you can be correlated at
that level.

=Drummond (

-----Original Message-----
From: yadis-bounces at [mailto:yadis-bounces at]
On Behalf Of Michael Graves
Sent: Sunday, February 12, 2006 12:40 PM
To: yadis at
Subject: Re: OpenID, YADIS and Directed Identity

Johannes Ernst < <at>> writes:

> > ... in my
> > scenario, you wouldn't enter "" at the initial  
> > login, screen.
> > Instead you would only enter "". At this point, then,  
> > the replying
> > part only knows you are somehow attached to "".  You  
> > are then
> > redirected (302) to's login page.  Unlike the current  
> > scenario,
> > the identity server ( has at this point no idea who  
> > you are, so
> > instead of asking just for your password and presenting the "user"  
> > field
> > already filled out, you would need to specify your user name at  
> >'s
> > login screen as well.
> Not necessarily. The identity server can have a cookie, shared only  
> with itself, that identifies who you are. So the sequence would be
> GET relying-party -> HTML form
> POST relying party -> Redirect to
> GET cookie=myid -> Redirect to
> GET -> Redirect to relying party with signed URL  
> (if active session, otherwise ask for password first)
> P.S. No hunting party  as long as everybody understands that this  
> is about something other than YADIS 1.0.
> Johannes Ernst
> NetMesh Inc.

Hi Johannes!

You're right, of course. My point was to emphasize the fact that the
server has no idea who you are *from* the relying party, which means that 
subsequent provisioning of a generated ID won't provide a basis for 

If you are currently logged in to your identity server, your cookies can 
trigger "auto-fill" for your user name, when you are redirected 
to "". That's a good point!  So, ergonomically, you haven't
up anything important to the relying party yet, but when you arrive at's site, it may know who you are through its own devices and
you haven't really lost any momentum in the process.

That's cool. I don't know what the real need/demand is for this
but I do know that I've had to defend/address YADIS/OpenID not having it 
several times in the past few weeks. Again this is really an OpenID issue,
a YADIS one, and one we can take up later. This is an interesting "upgrade"
consider, though.


More information about the yadis mailing list