[OpenID] Distributed ID Servers
Drummond Reed
drummond.reed at cordance.net
Thu Dec 21 21:03:18 UTC 2006
Yes, I agree. It would be fine to make a separate OpenID spec, so that all
the other specs can reference it. Whatever works best.
=Drummond
-----Original Message-----
From: Johannes Ernst [mailto:jernst+openid.net at netmesh.us]
Sent: Thursday, December 21, 2006 11:09 AM
To: Drummond Reed
Cc: Darryl; general
Subject: Re: [OpenID] Distributed ID Servers
Drummond, I recall we discussed this, but I wasn't aware it actually
made it into a document ... so we do have the aliveness after all!
Is that a section that should become its own document under
openid.net/specs or at least be pointed to? It appears to me that
there does not need to be more than one spec for how to check
liveness ...
On Dec 21, 2006, at 0:28, Drummond Reed wrote:
> Johannes, interestingly the ability to check for the "aliveness" of an
> authentication server (as well as the activation of the user's OpenID
> account on that server) was a subject that did get discussed -- and
> specified -- by XDI.org when it published it's OpenID conformance
> spec for
> i-names.
>
> See section 7 of
> http://iss.xdi.org/moin.cgi/OpenIdAuthnService?
> action=AttachFile&do=get&targ
> et=iss-authn-openid-v1.0-wd-02.pdf.
>
> This mechanism is very simple and lightweight and can work with
> pretty much
> any XRDS service type.
>
> =Drummond
>
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-
> bounces at openid.net] On
> Behalf Of Johannes Ernst
> Sent: Wednesday, December 20, 2006 8:44 PM
> To: Darryl
> Cc: general at openid.net
> Subject: Re: [OpenID] Distributed ID Servers
>
> We already have that, at least to some extent.
>
> First, you can load balance etc. and hide several physical servers
> behind the same domain name.
> Second, you can specify N>=1 services supporting the same service
> type (e.g. OpenID Auth 1.1) at M>1 different domain names, by putting
> multiple entries into the Yadis/XRDS file, potentially with
> priorities.
>
> What we don't have currently is many implementations that check the
> aliveness of an authentication server before redirecting the browser
> session there. But a simple HTTP HEAD on the service URL should
> suffice.
>
> On Dec 20, 2006, at 20:05, Darryl wrote:
>
>> Are there any ideas about making the OpenID system
>> safe from ID server downtime? I'm thinking that if the
>> ID's themselves were distributed around to various ID
>> servers, while still associating each ID with an
>> actual server, when that server goes down, the system
>> could default to the ID server network to see if the
>> ID is available elsewhere. All the data could be
>> hashed like we would normally hash just passwords,
>> this way noone could see who has access to what.
>>
>> There might also be a way to keep the primary ID
>> server's information up-to-date after it goes down
>> while still letting people authorize new sites during
>> the down time. When the primary ID server goes down, a
>> temporary ID server could be chosen and when the
>> primary is back online, you could inform it of updates
>> on that temp server, and then, when the primary is
>> updated, the information propagates. Ofcourse, if the
>> information on the temp server is not genuine it
>> wouldn't propagate because the primary would refuse
>> it.
>>
>> Just some ideas. I'm sure they couuld be improved upon
>> or something.
>>
>> - Darryl McAdams
>>
>> -------------------------------
>>
>> o///
>> Be seeing you...
>>
>> __________________________________________________
>> Do You Yahoo!?
>> Tired of spam? Yahoo! Mail has the best spam protection around
>> http://mail.yahoo.com
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list