Securing HTML vs securing HTTP

Josh Hoyt josh at janrain.com
Tue Jan 24 18:24:54 UTC 2006


Jens,

On 1/24/06, Jens Alfke <jens at mooseyard.com> wrote:
> The trade-off seems to be between who gets to use the same URL for identity
> and "home page":
> (a) With LID, those who have dynamic pages can have the same URL. Those
> limited to static pages can't.
> (b) With OpenID, those who have static pages can have the same URL. Those
> who have dynamic pages could have the same URL, but security issues make
> this an unwise idea in almost all cases, so they are safer making a new
> static URL.

I'm not sure I buy this logic. With OpenID, you have to depend on
dynamic software to insert one, straightforward <link> tag in a Web
page. With LID, you have to depend on the software to dispatch to the
LID code to actually perform the operation. I think that making sure a
small bit of HTML or an http header is correct is a much simpler
operation than ensuring that all of your identity service dispatching
is working correctly.

Also, the YADIS layer that is growing beneath OpenID and LID uses the
same model as OpenID, with the same benefits and drawbacks as the
OpenID discovery mechanism, and it will become part of LID.

Josh


More information about the yadis mailing list