OpenID, YADIS and Directed Identity
drummond.reed at cordance.net
Mon Feb 13 06:17:06 UTC 2006
We in XRI-land got the same feedback about the need for unidirectional
identifiers for single sign-on last fall. And we came up with the same
solution -- see my blog post at:
I think it applies to XRIs, URLs, or any other identifier technology. One
caveat I'll point out, though: this technique only works if there are a
sufficiently large enough set of identifiers issued by the identity service
provider (in your example, idsrus.com). Otherwise you can be correlated at
From: yadis-bounces at lists.danga.com [mailto:yadis-bounces at lists.danga.com]
On Behalf Of Michael Graves
Sent: Sunday, February 12, 2006 12:40 PM
To: yadis at lists.danga.com
Subject: Re: OpenID, YADIS and Directed Identity
Johannes Ernst <jernst+lists.danga.com <at> netmesh.us> writes:
> > ... in my
> > scenario, you wouldn't enter "mart.whatever.com" at the initial
> > login, screen.
> > Instead you would only enter "whatever.com". At this point, then,
> > the replying
> > part only knows you are somehow attached to "whatever.com". You
> > are then
> > redirected (302) to whatever.com's login page. Unlike the current
> > scenario,
> > the identity server (whatever.com) has at this point no idea who
> > you are, so
> > instead of asking just for your password and presenting the "user"
> > field
> > already filled out, you would need to specify your user name at
> > whatever.com's
> > login screen as well.
> Not necessarily. The identity server can have a cookie, shared only
> with itself, that identifies who you are. So the sequence would be
> GET relying-party -> HTML form
> POST relying party identity=whatever.com -> Redirect to whatever.com
> GET whatever.com cookie=myid -> Redirect to whatever.com/myid
> GET whatever.com/myid -> Redirect to relying party with signed URL
> (if active session, otherwise ask for password first)
> P.S. No hunting party as long as everybody understands that this
> is about something other than YADIS 1.0.
> Johannes Ernst
> NetMesh Inc.
You're right, of course. My point was to emphasize the fact that the
server has no idea who you are *from* the relying party, which means that
subsequent provisioning of a generated ID won't provide a basis for
If you are currently logged in to your identity server, your cookies can
trigger "auto-fill" for your user name, when you are redirected
to "whatever.com". That's a good point! So, ergonomically, you haven't
up anything important to the relying party yet, but when you arrive at
whatever.com's site, it may know who you are through its own devices and
you haven't really lost any momentum in the process.
That's cool. I don't know what the real need/demand is for this
but I do know that I've had to defend/address YADIS/OpenID not having it
several times in the past few weeks. Again this is really an OpenID issue,
a YADIS one, and one we can take up later. This is an interesting "upgrade"
More information about the yadis