Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow site owners to mark some rel="me" links as being unsuitable for contacting them #175

Closed
Dan-Q opened this issue Jan 21, 2018 · 2 comments

Comments

@Dan-Q
Copy link

Dan-Q commented Jan 21, 2018

I imagine that this might be best done via additional microformat metadata, something along the lines of:

<link rel="me non-authoritative" href="https://twitter.com/example" />

Indieauth (and ideally other authentication) providers would not consider such links to be valid targets for identity verification, but other metadata parsers would still consider that the resulting URL represents "me" (the person).

The following use-cases illustrate why this is important:

  1. A user who delegates their third-party account to a less-trusted party (e.g. Twitter does not support delegated permissions, and so some people share their password with an underling who manages their social media: the Twitter account still represents them, but should not be trusted for authentication).
  2. A user who does not trust the level of protection provided by the authentication systems of a platform, but who still wishes to identify themselves with it. For example, a user might not personally consider GitHub's authentication strategy to be sufficiently strong to protect their identity for all purposes, but still maintain a GitHub account. In this case, they'd want to be able to use rel="me" links to identify that it was "their" GitHub account, but might not want it to be able to be used to authenticate as them.
@aaronpk
Copy link
Owner

aaronpk commented Feb 27, 2018

This has been discussed a bit more on the IndieWeb wiki: https://indieweb.org/RelMeAuth#Consolidated_identities_do_not_carry_inherent_trust

This is a question for the RelMeAuth spec, which indieauth.com implements. I like the idea, it's just a matter of figuring out the best rel value now.

@aaronpk
Copy link
Owner

aaronpk commented Nov 19, 2018

A variation of this has been implemented on IndieLogin.com now! You can read about it here https://indielogin.com/setup#choosing-auth-providers

I won't be adding any new features to indieauth.com as I am in the process of phasing it out.

@aaronpk aaronpk closed this as completed Nov 19, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants