Discussion: RP Yadis URL?
Dick Hardt
dick at sxip.com
Sun Oct 15 18:41:50 UTC 2006
On 15-Oct-06, at 10:54 AM, Chris Drake wrote:
> Hi Dick,
>
> 1. IdP's "advertising" a list of sites that accept OpenID - like the
> way PayPal list stores that accept their currency I guess. It's
> annoying to a user to have to come back to the place they just
> clicked in order to click a second time in order to go where they
> wanted to in the first place... Better to send them where they
> want when they click the first time...
Since this list is made by the IdP, the IdP will know the RP and can
easily get the login_url
> 2. Privacy and delegation: if we force the user to initially interact
> with the RP, this gives the RP the opportunity to profile our
> users, start collecting (and sharing with other RPs) correlating
> information about them, and otherwise destroys IdP ability to
> protect user privacy.
If the RP is given just the IdP, then I think we have minimized what
the RP wants.
The user is choosing they want to interact with the RP, and the RP
will know the IdP at some point anyway.
Is there something I am missing?
>
> Basically - this comes back to your "Discussion: bookmark login url
> discovery" message - and for the sake of additionally supporting
> future security enhancements (eg: anti-phishing), I'd recommend we
> place something inside the RP's login <FORM> page, like a <META> or
> <LINK> tag, for browser agents to use, or IdPs to find via referrer
> URLs.
I think doing XRDS discovery on the URLs reuses existing tech and
solves the problem.
-- Dick
More information about the specs
mailing list