Securing HTML vs securing HTTP

Jens Alfke jens at
Tue Jan 24 18:08:03 UTC 2006

On 24 Jan '06, at 8:11 AM, Christopher Schmidt wrote:

> I can't modify my Yahoo profile page to respond to them -- but
> yahoo can set up OpenID headers that have information about the  
> servers,
> and send those dynamic requests to someplace that *does* allow for
> changing the contents based on query args.

But you're still dependent on Yahoo to change their software to add  
the <link> tag or the HTTP header. My hunch is that talking them into  
doing that would be harder than talking them into being an OpenID  
server in their own right. (Yahoo would not be happy with letting  
some random ID server be in charge of vouching for someone's identity  
as a Yahoo member.)

The trade-off seems to be between who gets to use the same URL for  
identity and "home page":
(a) With LID, those who have dynamic pages can have the same URL.  
Those limited to static pages can't.
(b) With OpenID, those who have static pages can have the same URL.  
Those who have dynamic pages could have the same URL, but security  
issues make this an unwise idea in almost all cases, so they are  
safer making a new static URL.

It seems a little backwards to me to give precedence to people with  
fewer capabilities. I don't think such people tend to be early  
adopters of anything (other than Comic Sans and fluorescent page  
backgrounds). The early adopters of distributed-identity will be (a)  
the geeks and pundits who eagerly adopt new Internet technologies;  
and (b) bloggers and journalers. The first group will have no problem  
with installing a script or plug-in as an identity server, the second  
group will get it for free when their blog software or host site adds  
it as a feature.

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the yadis mailing list