[OpenID] Localhost OpenID

[Daniel E. Renfer]

First off, the problem with using localhost as your identity is the RP
and OP have to be able to resolve 'localhost' to be the same IP
address. (This is why there has been such an emphasis put on the
security of the DNS records) Theoretically, it would work if they are
both being hosted on your machine.Seeing as it's very unlikely that
you would do something like that, having 'localhost' as your identity
doesn't really work very well.

Second, you have to consider Virtual Hosts. My identity is hosted by a
hosting service that uses the same IP address for several domains. I
have to actually access my site by domain, otherwise I'll get a
different site. So, in effect, if Google ever decided to use Virtual
Hosts, 64.233.187.99 might not be Google, even though Google is
64.233.187.99.

If you really want a portable identity, you could always get a dynamic
name service to give yourself a common name that'll point to whatever
IP you're using at the moment. (dyndns.org has a very good free
service.) You could set up a script of some sort that updates your IP
the moment that you USB drive is mounted and then have a very light
HTTP server serving little more than your XRDS file/web page with link
tags. If you wanted to go a step further, you could also host an OP
that will only authenticate requests coming from localhost. (no u/p
required)

I'm sure I didn't quite address the use case you had in mind, but
hopefully I helped explained at least partially why things are the way
they are.

Daniel E. Renfer
http://kronkltd.net/

On 12/13/06, Rabbit <xageroth at gmail.com> wrote:
> Nearly a year ago I brought up a concern and was seemingly alone on
> this point so I stepped aside hoping as things developed I would have
> my mind changed. I now think it really is just a difference in
> philosophy so I wanted to bring this up again to see what others
> think.
>
> The best way I know to illustrate the concern is to argue for
> localhost OpenID. Right now using localhost for your OpenID is
> impossible because it's a local network address and is also different
> for every single machine. Even though the transactions between a web
> service and identity provider leverages the *users* line of
> communication, the URL is very important to OpenID. So would it be
> possible to use localhost? Yes, if OpenID were concerned about
> identity as a resource instead of identity as a URL.
>
> There is a big difference between a resource and a URL but OpenID is
> resource ignorant. Any URL that resolves to 64.233.187.99 is still
> Google. If any of the URL's change or even the IP address, the
> identity that *is* Google is not completely bound by these terms. The
> important thing is the resource not how we find it. In terms of OpenID
> the URL can be changed with a juggling act but the emphasis is never
> taken off the URL there is no "identity resource" we're hoping to find
> or that exists independant from it's locator.
>
> Don't get me wrong I'm a very big supporter of using URL's as the
> identifier, but only as something human usable. If a URL resolved to a
> public key, for example, web services could cease to care about URL's
> altogether. If a user changed identity providers, the web services
> would never have to work to reclaim their users accounts, to the web
> service, the identity being handled has not changed because the
> resource is the same. Along with all that, a user could use their
> vanity domain as their public face and localhost as their identity
> provider. "localhost/jane" would be different from all other
> "localhost/jane"s because the resources would be verifiably different.
> You could easily carry your identity provider with you in your pocket
> on a USB drive.
>
> What could be more decentralized than that?
>
> Maybe I just don't get it.
>
> --
> Rabbit
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>