Impact-d001
From Yadis
Note: This page describes a draft set of changes to the Yadis spec. The changes proposed here have now been incorporated, either in whole or in part, into the main spec. This draft remains for historical reference only.
Contents |
Impact on LID and OpenID
Both LID and OpenID consumers are impacted by Yadis. In order to support Yadis they must include support for the capability discovery protocol. The capability discovery protocols for LID and OpenID are described in the following sections. Once the capability discovery phase is complete, LID and OpenID authentication proceeds as normal.
OpenID servers are not affected by Yadis.
LID servers are not affected by Yadis. (Editors Note: I think? I'm no LID expert.)
Ideally, both LID and OpenID consumers will in future expand to support other signon protocols which are declared via Yadis capability.
OpenID Capability Discovery
The capability identifier for OpenID authentication is http://openid.net/signon, and the current version is 1.0. An OpenID capability declaration is as follows:
capability: http://openid.net/signon version: 1.0 server: http://www.idserv.net/openidserver identity: http://john.idserv.net/
The server field gives the URL of the OpenID Identity Server which can authenticate this identity, and is required. The identity field gives the OpenID Identity URL to use for signon, and is optional. If the identity field is not present, the Yadis Identity is used.
OpenID delegation is not supported, since Yadis itself provides equivalent delegation support.
OpenID identity URLs may go on including openid.server and openid.delegate LINK elements for backwards compatibility, but the behavior when the configuration in the legacy fields and in the identity document differ is undefined so care must be taken to keep the settings in sync.
LID Capability Discovery
Authentication
The capability identifier for LID authentication is http://lid.netmesh.org/sso and the current version is 2.0. A LID capability declaration is as follows:
capability: http://lid.netmesh.org/sso version: 2.0 lid: http://john.idserv.net/lid
The lid field gives the LID URL to use for signon, and is optional. If this field is not present, the capability document URL (not the user-entered identity URL where HTML indirection was used) is the default. (Editor note: I think the capability document URL is a better default than the HTML document, since in the HTML indirection case it's likely that the original document was just some static file and thus can't act as a LID endpoint.)
Traversal Profile
The capability identifier for the LID Traversal Profile is http://lid.netmesh.org/traversal and the current version is 2.0. The capability declaration is the same as for LID authentication aside from the capability identifier.
VCard Profile
The capability identifier for the LID VCard Profile is http://lid.netmesh.org/traversal/vcard and the current version is 2.0. The capability declaration is the same as for LID authentication aside from the capability identifier.