Securing HTML vs securing HTTP

[Jens Alfke]

On 24 Jan '06, at 10:24 AM, Josh Hoyt wrote:

> With OpenID, you have to depend on
> dynamic software to insert one, straightforward <link> tag in a Web
> page. With LID, you have to depend on the software to dispatch to the
> LID code to actually perform the operation. I think that making sure a
> small bit of HTML or an http header is correct is a much simpler
> operation than ensuring that all of your identity service dispatching
> is working correctly.

Look back at my earlier messages in this thread. The issue isn't  
whether I trust the code that runs my identity mojo. As Johannes  
pointed out, I trust that code because I have no choice but to. The  
real issue is whether I trust the other dynamic code generating that  
page not to mess with the identity URLs.

With OpenID, you have to trust all of the software that generates the  
page. That means that, if you already have a dynamic page using  
WordPress or Drupal or something like that, you have to trust that  
entire codebase, plus any 3rd party plug-ins you installed, plus any  
theme you're using. I trust that software enough to generate a home  
page and blog for me. I don't know if I trust it with my Internet- 
wide identity.

With LID, since the identity URL is distinct from the home-page URL,  
I can easily add a redirect to my .htaccess to have a separate script  
manage my identity. I am much more willing to trust that single- 
purpose script.

Does that make more sense?

--Jens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.danga.com/pipermail/yadis/attachments/20060124/1a3eb153/attachment.html