Yadis and OpenID: openid.server vs X-YADIS-Location

Drummond Reed drummond.reed at cordance.net
Thu Mar 9 20:30:22 UTC 2006


I agree with Martin, the worst choice is not to spec this. If it's spec'd,
the "path forward" will be clear and, like a marked trail in the woods vs.
an unmarked path, developers will be much more likely to follow it.

=Drummond 

-----Original Message-----
From: yadis-bounces at lists.danga.com [mailto:yadis-bounces at lists.danga.com]
On Behalf Of Martin Atkins
Sent: Wednesday, March 08, 2006 11:49 PM
To: yadis at lists.danga.com
Subject: Yadis and OpenID: openid.server vs X-YADIS-Location


I remain a little concerned about adoption of Yadis by users of OpenID.
Here's why...

For backwards compatibility, OpenID identities will probably be
generating the OpenID-specific openid.server links for some time.
There's no point in debating this, because it's going to happen whether
we like it or not.

Now, in order to do Yadis, one has to fetch the identity URL and look
for the Yadis URL. In the process, (unless using the HEAD optimisation)
the relying party has fetched the document containing the openid.server
link, so it now knows the URL of the OpenID server without bothering to
bear the extra overhead of fetching the Yadis document. Yadis has, for
all intents and purposes, been bypassed.

So the question is, what needs to be done about this?
* Ignore it and spec it as recommended operating procedure. This raises
questions about what exactly Yadis is good for when you only support OpenID.
* Forbid it, saying that the Yadis document supersedes the openid.server
LINK and thus requiring the relying party to inspect both. This forces
OpenID consumers to do one extra step to find out something that nine
times out of ten they already know. I can't see many consumer
implementors going for this as it bypasses a good optimization.
* Allow relying parties to do what they want and say in the OpenID spec
that the Yadis document and the openid.server must point at the same URL
or the behavior is undefined. This option reflects reality, since
pre-Yadis OpenID consumers are going to look only at openid.server while
Yadis-only OpenID consumers are going to look only at the Yadis document.

I'm favouring the third of these right now. Those who already support
OpenID can declare it through Yadis in addition to LINK
REL="openid.server" with a trivial amount of code. It does put the
burden on the identity provider to keep the two URLs in sync, though.

Whatever the choice, it should be specced. If it's not specced, everyone
will do their own thing and chaos will ensue.





More information about the yadis mailing list