[OpenID] Distributed ID Servers

Drummond Reed drummond.reed at cordance.net
Thu Dec 21 08:28:09 UTC 2006 

Johannes, interestingly the ability to check for the "aliveness" of an
authentication server (as well as the activation of the user's OpenID
account on that server) was a subject that did get discussed -- and
specified -- by XDI.org when it published it's OpenID conformance spec for
i-names.

See section 7 of
http://iss.xdi.org/moin.cgi/OpenIdAuthnService?action=AttachFile&do=get&targ
et=iss-authn-openid-v1.0-wd-02.pdf.

This mechanism is very simple and lightweight and can work with pretty much
any XRDS service type.

=Drummond 

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Johannes Ernst
Sent: Wednesday, December 20, 2006 8:44 PM
To: Darryl
Cc: general at openid.net
Subject: Re: [OpenID] Distributed ID Servers

We already have that, at least to some extent.

First, you can load balance etc. and hide several physical servers  
behind the same domain name.
Second, you can specify N>=1 services supporting the same service  
type (e.g. OpenID Auth 1.1) at M>1 different domain names, by putting  
multiple entries into the Yadis/XRDS file, potentially with priorities.

What we don't have currently is many implementations that check the  
aliveness of an authentication server before redirecting the browser  
session there. But a simple HTTP HEAD on the service URL should suffice.

On Dec 20, 2006, at 20:05, Darryl wrote:

> Are there any ideas about making the OpenID system
> safe from ID server downtime? I'm thinking that if the
> ID's themselves were distributed around to various ID
> servers, while still associating each ID with an
> actual server, when that server goes down, the system
> could default to the ID server network to see if the
> ID is available elsewhere. All the data could be
> hashed like we would normally hash just passwords,
> this way noone could see who has access to what.
>
> There might also be a way to keep the primary ID
> server's information up-to-date after it goes down
> while still letting people authorize new sites during
> the down time. When the primary ID server goes down, a
> temporary ID server could be chosen and when the
> primary is back online, you could inform it of updates
> on that temp server, and then, when the primary is
> updated, the information propagates. Ofcourse, if the
> information on the temp server is not genuine it
> wouldn't propagate because the primary would refuse
> it.
>
> Just some ideas. I'm sure they couuld be improved upon
> or something.
>
> - Darryl McAdams
>
> -------------------------------
>
> o///
> Be seeing you...
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list