Securing HTML vs securing HTTP

Jens Alfke jens at mooseyard.com
Tue Jan 24 05:16:53 UTC 2006 

On 23 Jan '06, at 5:15 PM, Kevin Turner wrote:

> There's a pretty straightforward way to address this concern.  If you
> don't believe the code that generates your dynamic web page is
> trustworthy enough for your identity, don't use it.  Instead of  
> putting
> your identity URL at http://mooseyard.com/Jens/ , why not
> http://mooseyard.com/o , where "o" is a static page?  Personally, I  
> find
> little utility in having the identifier I authenticate by as being
> precisely the same as the URL for my blog.

That's a good point, and one I was finding myself unwillingly led  
toward anyway.

My resistance to it is on the grounds of simplicity or elegance ...  
not having too many entities. The URL I use for authentication  
becomes my identity. It's what will be displayed at other sites.  
People I associate with online will recognize me by it. People who  
don't know me will follow that URL to see who I am. It becomes my  
home page.

But that role of personal home page has already been taken by the  
blog, for well-known reasons. It has nicer formatting than I would  
create by hand. It always shows the latest things I've written, my  
latest bookmarks and photos.

So one solution is to make the ID page a static page that has a name  
and picture and a link to the blog.

A different one is for the protocol to derive the ID URL from the  
home/blog URL. Users only see the latter. This is in effect what LID  
does, by appending query parameters to the URL for all of its  
protocol operations. The counter-argument, from the OpenID home page  
is that this "Assumes that identity URLs are dynamic documents that  
can handle fancy URL parameters. Not true in real life, which is key  
for adoption." I'm not sure why this isn't true in real life — maybe  
Brad can explain?

--Jens

PS: I don't mean to march in and start being all argumentative. I  
love this stuff, and I'm metaphorically kicking the tires pretty hard  
to convince myself it's as good as I want it to be. No hard feelings,  
I hope.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.danga.com/pipermail/yadis/attachments/20060123/a7ba2709/attachment.htm

More information about the yadis mailing list