Re: sketch of a simple authentication protocol

On 2 Apr 2008, at 15:52, Story Henry wrote:

> I thought it would be fun to represent your answer [1] with a  
> Sequence Diagram to make sure I have really understood what you are  
> saying. It is even simpler that the previous sketch.


Yep, that's pretty much it.

An additional detail which is missing in your diagramme is: what  
happens if Romeo's client doesn't send an Agent-Id header (I used  
HTTP "From" header originally, but it doesn't really matter what the  
header is called) or Juliette decides she doesn't trust Romeo. I  
originally specified that a simple copy of the public profile should  
be returned, but instead I think perhaps a 302 redirect back to the  
public profile is more appropriate.

Also, I'd like to make a bid to explicitly allow XHTML+RDFa to be  
used for the public profiles (and if implementations are going to  
need to support it for public profiles, we might as well also allow  
it for private profiles!). With that in place, a person can decide to  
use the same URI for:

	* their (human-readable) homepage;
	* their FOAF profile for use in this protocol; and
	* their OpenID identifier.

If we insisted that their profile URI be RDF/XML, then that couldn't  
happen (except perhaps with some sort of content negotiation going on  
— I've not thought out the details).

-- 
Toby A Inkster
<mailto:mail@tobyinkster.co.uk>
<http://tobyinkster.co.uk>

Received on Thursday, 3 April 2008 08:57:17 UTC