[OpenID] What's broken in OpenID 2.0? (IIW session)
ydnar
ydnar at shaderlab.com
Thu May 10 19:01:24 UTC 2007
Could delegation be used for this purpose?
<http://openid.net/specs/openid-
authentication-1_1.html#delegating_authentication>
Example:
<link rel="openid.server" href="http://www.livejournal.com/
openid/server.bml">
<link rel="openid.delegate" href="http://openid.livejournal.com/
482834734545">
Randy
On May 10, 2007, at 11:56 AM, ydnar wrote:
> How significant (read: incompatible) a change would this be to the
> spec?
>
> URL recycling on services like LiveJournal or Vox is a pretty real
> issue: Users can elect to change their URL at any time. Their old URL
> could then be adopted by another user. Having the underlying mapping
> be an opaque value (or a guaranteed never-recycled URL) instead of
> the actual URL would address this.
>
> Randy
>
>
> On May 10, 2007, at 10:13 AM, Martin Atkins wrote:
>
>> ydnar wrote:
>>> Can the OP override the user’s input?
>>>
>>> User asserts: brad.livejournal.com
>>> LiveJournal overrides with: openid.livejournal.com/584593450349
>>>
>>> Which (for LiveJournal) would be guaranteed unique, never recycled.
>>>
>>
>> This is essentially the XRI mechanism, but done over HTTP instead. We
>> did also talk before about trying to make XRI-style synonyms (which
>> would solve this and other similar problems) with HTTP URLs, but I
>> think
>> the main trouble is figuring out a way that this can be done securely
>> without adding significant overhead.
>>
>>
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
More information about the general
mailing list