How's it work?
Here's the big picture: (for details see the specs or the authentication protocol flow diagram)
- You maintain a blog at, say, livejournal.com (but this can be anything) and you stay logged in there usually.
- You go to leave a comment at someblog.com (perhaps it's Movable Type, or Wordpress, or DeadJournal, ...) and you don't have an account there, so there's otherwise no way to leave an authenticated comment. But if their blog-system has OpenID support, you see something like: (but hopefully prettier)
- You type "brad.livejournal.com", click login, and then without leaving the page and destroying the comment you were working on typing, the someblog.com server does some work:
- Looks at your blog, and finds your OpenID server. You don't even know what OpenID is, but your publishing software did it all for you.
- The someblog.com server returns to your browser and tells it the OpenID identity server it found.
- Then your browser contacts the identity server (see the details) and one of two things happen....
- If you've never told your homesite (LiveJournal in this case) that you trust this someblog.com site to know your identity, your homesite tells the page that (without revealing who you are) and the UI changes to something like this: (the UI is left entirely to the sites wanting to confirm an OpenID identity)
- Once you've told your homesite (your identity server, LiveJournal) that you trust this site you're visiting, everybody communicates behind the scenes to validate your identity, and you see perhaps:
Hello, Brad! You're now logged in to someblog.com as Brad from LiveJournal.
- If you've never told your homesite (LiveJournal in this case) that you trust this someblog.com site to know your identity, your homesite tells the page that (without revealing who you are) and the UI changes to something like this: (the UI is left entirely to the sites wanting to confirm an OpenID identity)
- Then you finish your comment, submit it, and the someblog.com server validates your identity behind the scenes, doing some mild crypto stuff explained in specs. If someblog.com is playing by the rules, nobody else can fake your identity. Of course any site can lie, but what fun is a thousand people all saying they're Bill Gates, and message boards allowing it? So respectable sites (where you'd hang out) would play by the rules.
What about trust?
This is not a trust system. Trust requires identity first.
What about spam?
Again, this is not a trust system.
Somebody could run their own identity server that says they're http://spammer.example.com/000001/ all the way to http://spammer.example.com/999999/ and that's not a goal of this system to prevent. It's another layer's job to say the identities with URL spammer.example.com/* is a spammer, or some ID server is a known spammer, or some particular identity is a known spammer.
What this does prevent is anybody but that spammer from using that identity URL. While somebody else could make their ID server say that they're that http://spammer.example.com/000001/ URL, a) why would they?, and b) unless they also controlled the host spammer.example.com, they couldn't change the <link rel=..> tag to point to their rogue identity server.
What about signing comments?
This system doesn't sign comments. If a rogue site says it's OpenID-enabled but actually isn't and claims to have posts from your identity, that doesn't mean anything. This system isn't designed to prevent that. The goal of this is for sites that do care about preventing spoofed comments/identities to be able to do so, if they play along.
After all, anybody could put up a geocities page right now that says anybody said anything. Do you trust it just because you read it?
There are, however, some pretty obvious spots to insert comment signing into this scheme, so it's likely a future version of this spec will include that, with the identity server providing back a permalink/signature to the comment posted, so readers on some random site can go back to the origin to verify it.