[OpenID] Drosophilia of Delegation (identity and private feeds)
Martin Atkins
mart at degeneration.co.uk
Thu Apr 5 23:47:56 UTC 2007
Lukas Rosenstock wrote:
> Things like that have been on this list more than once and some people
> have talked about it, but somehow this discussions didn't get too far (or
> continued without public notic). Martin Atkins proposed his OpenID
> Exchange which is some kind of OpenID authentication for
> non-browser-requests.
>
Perhaps I'm causing confusion by talking about too many things at the
same time. I've been writing up lots of different things based on the
idea of using OpenID-style Authentication with HTTP request, one of
which was OpenID Exchange. OpenID Exchange, however, *is* tied to
browsers in that it requires a user to authorise a transaction taking
part on his behalf.
The non-browser transaction part was the HTTP Authentication bindings:
<http://openid.net/wiki/index.php/OpenIDHTTPAuth>
This are currently limited to only "dumb mode", but allows non-human
agents to authenticate as an OpenID Identifier in certain specialised,
non-browser protocols such as "Send a Message"[1].
My goal is to specify a suite of authentication mechanisms that can be
used with HTTP requests so that the same protocols can be used
regardless of whether the authentication is three-party
user-accompanied, software-to-server two-party or user-to-software
two-party. OpenID Exchange handles the first, HTTPAuth will hopefully
handle the second if it can be specified in a secure manner, and the
last remains to be solved but I expect will likely come in the form of
two-party HTTPAuth extended with a protocol for a non-browser app to
securely fetch a computed signature from an OP on behalf of a user.
[1] http://openid.net/wiki/index.php/Send_A_Message_Protocol
More information about the general
mailing list