how different is OpenID from SXIP?

Johannes Ernst at
Sat Mar 18 06:23:32 UTC 2006

I'm sure your analysis of other people's technology is much more  


Can we just stop the FUD on this one single mailing list, please?

On Mar 17, 2006, at 22:02, Dick Hardt wrote:

> Unfortunately, very inaccurate.
> A Homesite can be authoritative for any URL, just like in OpenID.  
> Unlike OpenID, multiple Homesites may be authoritative for the same  
> URL (since in OpenID you type in the URL, you can't select which  
> Homesite/IDP)
> In SXIP, I can use one Homesite one day, another the next day, but  
> present the RP the same persona URL.
> SXIP also allows you to store all your data on your own computer.  
> Since the data is pushed, the repository does not need to be  
> locatable by the RP. In OpenID, the IDP needs to be callable by the  
> RP.
> I think you totally missed my other points that the user will NOT  
> always want to identify themselves. They may want to only provide  
> some data. Impossible in OpenID.
> On 17-Mar-06, at 1:17 PM, Joaquin Miller wrote:
>> Clear and useful analysis, Dag.  Thanks.
>> Cordially, Joaquin
>>> I personally like how I can choose to use my own url for OpenID.   
>>> This means that if I own a URL I can use it to identify me even  
>>> as the services I use change.  Although I can use  
>>>, which is not bad at all to type in in the first  
>>> place, I can also use my personal domain, which points  
>>> to the same OpenID server.  Many places I go on the internet and  
>>> post things I am happy to say, "This is really, me, the one and  
>>> only Dag Rorek Arneson". And if for some reason I want to change  
>>> my IDP, or add a fallback IDP, all I have to do is change the  
>>> magic at my URL.
>>> If I want a new persona, I register a new account on myopenid  
>>> site, say, and presto.  Save that the new  
>>> account name is the reverse of my name, there's nothing that  
>>> links the two personas.
>>> With the SXIP way of doing things, I depend on my homesite for  
>>> everything, and I am suddenly an entirely different person if I  
>>> choose to use a new homesite.  In exchange, I can wait until I  
>>> get to my homesite to decide if I want to be dag or gad on this  
>>> RP, instead of simply entering the address for the appropriate  
>>> persona when I am prompted on the RP.  Since most everyone who  
>>> does openid login uses "openid_url" as the name of the field, I  
>>> should have auto completion for the field and so I don't have to  
>>> type in the whole thing every time.
>>>> Well, now the user has uniquely identified themselves with one of a
>>>> small number of URLs that they can remember to type in. Are we  
>>>> really
>>>> that much further along then passwords?
>>> Yes, this is precisely the goal.  We have a secure way of  
>>> positively linking a browser session with a persona specified by  
>>> a URL.  Provided that their account on their openid server is  
>>> secure, nobody else can successfully assert that they own the  
>>> URL, and thus they are the same person that logged in with that  
>>> URL before.
>>>> [1] also, if the email is pushed to the RP instead of being  
>>>> pulled,  the Homesite can generate a unique email just for that  
>>>> RP, so that  the RP does not have a triangulating identifier,  
>>>> and also the user  can kill the unique email if it is abused
>>> It's not necessary to push to gain this benefit.  In fact, claims  
>>> like this were the source of my confusion regarding the  
>>> definition of push. It is sufficient for the user to be able to  
>>> change the data that is being sent in response to the request by  
>>> the RP.

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the yadis mailing list