Hi Johannes, There isn¹t a document summarizing the deficiencies with OpenID 2.0 discovery I think it would be very useful for the WG and for the Community if we wrote this down
Off the top of my head, some of the problems are: * Yadis discovery is very vague as to exactly how the RP is supposed to fetch the OP¹s discovery document. Should it send the magic Accept header? Look for the X-XRDS-Location header in the response? Do HTML discovery? In practice, many implementers have had problems implementing discovery because there are too many ways to do it * Speaking of Yadis, the specs need to be revised, and it¹s unclear how to go about doing this * Because a compromised discovery document can result in the complete breakdown in OpenID security it¹s important that we find ways to increase the security of discovery perhaps it can be signed? Moved into DNS? * Discovery is hard to implement the majority of the code in OpenID libraries is to implement discovery. We can probably simplify discovery to require less code to implement * Delegation is a really useful feature in OpenID it was pretty straightforward in OpenID 1.1, but is very confusing (to say the least) in OpenID 2.0 we can probably do something in discovery to make delegation work better * The infamous NASCAR problem could possibly be helped by discovery * The infamous phishing problem could also possibly be helped by discovery * LRDD, host-meta, and webfinger are pretty interesting we should see how OpenID can leverage these new specs I¹m sure that there are more issues with OpenID 2.0 discovery. Anyone else want to take a stab at it? Allen On 5/21/10 7:55 PM, "Johannes Ernst" <[email protected]> wrote: > On May 21, 2010, at 19:28, Allen Tom wrote: > >> ... there¹s universal consensus that the existing OpenID 2.0 discovery >> mechanism is very deficient ... > > Is there a summary somewhere of this "universal consensus" of deficiencies? > > Thanks, > > > Johannes Ernst > NetMesh Inc. > > > >
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
