[OpenID] Localhost OpenID

[Rabbit]

@Martin

Then my question to you would be, why shouldn't it work this way?

When I was talking about localhost, btw, I didn't mean as the
identifier itself, just for authentication. So a yadis doc would still
be served up from the public web.

1) Your identity would be easier to transfer around providers because
it's being represented by data rather than a location.

2) Less dependant on dns which can have it's own range of problems
(poisoning, illegal site transfers, country disagreements?, etc.)

3) More difficult to steal. In order to steal an openid you only need
to gain access to a webpage. Millions of ways to do that. That's why I
like the idea of localhost for authentication via an identifiable
resource, because then even if your website gets hijacked and they
edit the yadis or change your "link rel", they still can't pretend to
be you. If your public web server on the goes down, you still have
your identity and can setup a temporary new identifier for yourself
within minutes and wouldn't have to explain yourself to the services
you use. They wouldn't notice a difference, the identity resource is
the same.

And the only thing needed to make all that happen is a public key
entered into the equation. I appreciate all this feedback btw.

On 12/13/06, Jeremy Smith <jeremyrsmith at gmail.com> wrote:
> Imagine trying to get into a club and the bouncer is checking IDs.  If
> everyone just says to him "I am me" and he lets them in, what's the point of
> checking IDs in the first place?  The benefit of OpenID comes from the site
> that's authenticating you being able to be sure that you own a certain URL.
> *Everyone* owns their localhost, so it's a no-brainer.  Like Daniel said -
> if you want to use your own machine to serve your identity, attach a dynamic
> domain name to it.

I don't see why self authentication is bad. The difference between
saying "I am me" in reality and with this is that in reality people
could lie and get away with it while with this it would be
programmatically verified that the person is lieing. So saying "I am
me" is ok so long as nobody else is able to say "I am me" which is the
case here. Besides, OpenID allows you to say "I am me" already.

> If you enable "localhost" to be a valid OpenID, it will either a)
> immediately become useless as it becomes universally banned because of
> spammers using "localhost" to authenticate themselves, or b) open the door
> for spammers to render OpenID completely useless.

I think I didn't explain myself right, I meant localhost for
authentication, the sso segment of the yadis document. Everything else
would still be served up on the public web.

Aside from that OpenID is already wide open for spam. There's nothing
about the scheme now that in any way what-so-ever protects against
spam. In fact, as I recall, OpenID began to be used as spam only a few
short weeks after it was released.

-- 
Rabbit