Securing HTML vs securing HTTP
Jens Alfke
jens at mooseyard.com
Tue Jan 24 18:43:01 UTC 2006
On 24 Jan '06, at 10:24 AM, Josh Hoyt wrote:
> With OpenID, you have to depend on
> dynamic software to insert one, straightforward <link> tag in a Web
> page. With LID, you have to depend on the software to dispatch to the
> LID code to actually perform the operation. I think that making sure a
> small bit of HTML or an http header is correct is a much simpler
> operation than ensuring that all of your identity service dispatching
> is working correctly.
Look back at my earlier messages in this thread. The issue isn't
whether I trust the code that runs my identity mojo. As Johannes
pointed out, I trust that code because I have no choice but to. The
real issue is whether I trust the other dynamic code generating that
page not to mess with the identity URLs.
With OpenID, you have to trust all of the software that generates the
page. That means that, if you already have a dynamic page using
WordPress or Drupal or something like that, you have to trust that
entire codebase, plus any 3rd party plug-ins you installed, plus any
theme you're using. I trust that software enough to generate a home
page and blog for me. I don't know if I trust it with my Internet-
wide identity.
With LID, since the identity URL is distinct from the home-page URL,
I can easily add a redirect to my .htaccess to have a separate script
manage my identity. I am much more willing to trust that single-
purpose script.
Does that make more sense?
--Jens
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.danga.com/pipermail/yadis/attachments/20060124/1a3eb153/attachment.html
More information about the yadis
mailing list