Securing HTML vs securing HTTP

Christopher Schmidt crschmidt at
Tue Jan 24 16:11:50 UTC 2006

On Mon, Jan 23, 2006 at 09:16:53PM -0800, Jens Alfke wrote:
> A different one is for the protocol to derive the ID URL from the  
> home/blog URL. Users only see the latter. This is in effect what LID  
> does, by appending query parameters to the URL for all of its  
> protocol operations. The counter-argument, from the OpenID home page  
> is that this "Assumes that identity URLs are dynamic documents that  
> can handle fancy URL parameters. Not true in real life, which is key  
> for adoption." I'm not sure why this isn't true in real life — maybe  
> Brad can explain?

There are still a huge number of pages out there which are not
dynamically generated, or are created by code that users don't have the
ability to modify, etc. I can't set up Geocities to respond to query
params. I can't modify my Yahoo profile page to respond to them -- but
yahoo can set up OpenID headers that have information about the servers,
and send those dynamic requests to someplace that *does* allow for
changing the contents based on query args.

Static HTML still makes up a majority of the internet.

Christopher Schmidt
Web Developer

More information about the yadis mailing list