LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

authenticating with XMPP ID (jabber address)

authenticating with XMPP ID (jabber address)

Posted May 30, 2008 6:27 UTC (Fri) by jamesh (subscriber, #1159)
In reply to: authenticating with XMPP ID (jabber address) by martinfick
Parent article: The problem(s) with OpenID 

> These are mostly performance, not HA solutions. None of these allow
> for simple delegation (if so, please explain how).

Many high availability solutions also improve performance.  An HA solution does not
necessarily mean having a backup server sitting round waiting for the primary server to die.
In fact, most multi-active solutions are more likely to handle crashes correctly because they
need to be aware of other nodes in the common case.

> Again, this does not allow for the XRDS document to be simply delegated
> to someone else (if so, please explain how).

As I said, you can use the same techniques as used to make any web site highly available.

> You make it sound like I only have to introduce it to one part when
> I really have to introduce it to every part for it to actually be HA

It wasn't my intention to make it look like you only needed to add HA to one part.  Some of
the techniques I mentioned can be omitted though (a single high availability OpenID provider
might satisfy your needs, for instance).

> But how can I delegate this to others with openid? The protocol does
> not provide a mechanism to do this? Can a friend easily provide a
> backup openid service for you?  How would the naming scheme work? If
> my identity URL is http://mydomain.com/myopenidsoftware/John.Doe, how
> can my friend's openid server which gives him an identity URL of
> http://backup.com/backupopenidsoftware/Friend use his server to
> backup my id? That is the problem, there is no easy standard way of
> doing this? 

Take a look at the discovery portions of the specification again.  In particular, the
difference between the "claimed identifier" and the "OP-local identifier".  The identifier
allocated to you by an OpenID provider is not necessarily the same as the claimed identifier
given to the relying parties.  Provided you have your discovery information in order, this
should not be a problem.

Now, this isn't to say that there are bugs in the existing OpenID implementations.  Some
deployments are buggy (e.g. SourceForge's implementation is incomplete, with no support for
XRDS).  Few libraries try secondary endpoints in the XRDS if the first fails (this is roughly
equivalent to an MTA only trying the first MX record).  Things will have to improve, but they
are not inherent flaws in the specification.  We are talking about a fairly new technology
here.

(Log in to post comments)

authenticating with XMPP ID (jabber address)

Posted May 30, 2008 16:25 UTC (Fri) by martinfick (subscriber, #4455) [Link]

I think that you missed this part of my reply above:

These solutions will not provide a solution for an individual who wants to setup his own openid server and wants to simply delegate failover to a friend or an ISP.

Your answers do not address this primary issue. MX records for email do. Without this, openid is not poised for global adoption and will remain something that enslaves anyone who wants to use it to the whims of large corporate openid providers. It is not a reasonable solution for someone who wants to be independent, which is really a shame. For those of us who look for the ability to be independent from a software infrastructure perspective (which I suspect many free software users do), openid brings us this hope, but unfortunately it seems to fall short of delivering this. :(

From your answers and others like you it is obvious that openid has done a good job marketing to and making life easy and profitable for the expensive high end providers, perhaps this was the single most important/valid criticism in this article. However, little thought seems to have been given to the concerns of smaller entities such as individual users who want to be their own providers.

Maybe I am just old school, I still own a land line (scoff)! Back when email was designed connectivity and availability were not taken for granted as they are today. I guess it is just hard to escape from this narrow minded point of view when the web today seems like it just works. Sadly, this point of view shows clearly in the design of many newer technologies.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds