[OpenID] Distributed ID Servers
Brian Ellin
brian at janrain.com
Thu Dec 21 19:33:52 UTC 2006
Using delegation and a custom XRDS, I've pointed to three different
OpenID servers. If the first server is down or unreachable, I may
click submit on the RP a second time, and next highest priority server
will be tried. This may continue until I've successfully verified my
OpenID.
I'm using MyOpenID, Verisign's PIP, and schtuff.com as my servers.
All of the JanRain libraries implement this behavior. You may see my
XRDS here:
http://brianellin.com/xrds
Cheers,
Brian Ellin
JanRain, Inc.
On 12/21/06, Drummond Reed <drummond.reed at cordance.net> wrote:
> Johannes, interestingly the ability to check for the "aliveness" of an
> authentication server (as well as the activation of the user's OpenID
> account on that server) was a subject that did get discussed -- and
> specified -- by XDI.org when it published it's OpenID conformance spec for
> i-names.
>
> See section 7 of
> http://iss.xdi.org/moin.cgi/OpenIdAuthnService?action=AttachFile&do=get&targ
> et=iss-authn-openid-v1.0-wd-02.pdf.
>
> This mechanism is very simple and lightweight and can work with pretty much
> any XRDS service type.
>
> =Drummond
>
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Johannes Ernst
> Sent: Wednesday, December 20, 2006 8:44 PM
> To: Darryl
> Cc: general at openid.net
> Subject: Re: [OpenID] Distributed ID Servers
>
> We already have that, at least to some extent.
>
> First, you can load balance etc. and hide several physical servers
> behind the same domain name.
> Second, you can specify N>=1 services supporting the same service
> type (e.g. OpenID Auth 1.1) at M>1 different domain names, by putting
> multiple entries into the Yadis/XRDS file, potentially with priorities.
>
> What we don't have currently is many implementations that check the
> aliveness of an authentication server before redirecting the browser
> session there. But a simple HTTP HEAD on the service URL should suffice.
>
> On Dec 20, 2006, at 20:05, Darryl wrote:
>
> > Are there any ideas about making the OpenID system
> > safe from ID server downtime? I'm thinking that if the
> > ID's themselves were distributed around to various ID
> > servers, while still associating each ID with an
> > actual server, when that server goes down, the system
> > could default to the ID server network to see if the
> > ID is available elsewhere. All the data could be
> > hashed like we would normally hash just passwords,
> > this way noone could see who has access to what.
> >
> > There might also be a way to keep the primary ID
> > server's information up-to-date after it goes down
> > while still letting people authorize new sites during
> > the down time. When the primary ID server goes down, a
> > temporary ID server could be chosen and when the
> > primary is back online, you could inform it of updates
> > on that temp server, and then, when the primary is
> > updated, the information propagates. Ofcourse, if the
> > information on the temp server is not genuine it
> > wouldn't propagate because the primary would refuse
> > it.
> >
> > Just some ideas. I'm sure they couuld be improved upon
> > or something.
> >
> > - Darryl McAdams
> >
> > -------------------------------
> >
> > o///
> > Be seeing you...
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
More information about the general
mailing list