Allen, combining what you just wrote with what Brian said on the board mailing list about MRDs -- perhaps it would make sense to set up a "bug tracking system" of some kind and use that to drive spec evolution?
On May 23, 2010, at 18:56, Allen Tom wrote: > Hi Johannes, > > There isn’t a document summarizing the deficiencies with OpenID 2.0 discovery > – I think it would be very useful for the WG and for the Community if we > wrote this down > > Off the top of my head, some of the problems are: > > Yadis discovery is very vague as to exactly how the RP is supposed to fetch > the OP’s discovery document. Should it send the magic Accept header? Look for > the X-XRDS-Location header in the response? Do HTML discovery? In practice, > many implementers have had problems implementing discovery because there are > too many ways to do it > Speaking of Yadis, the specs need to be revised, and it’s unclear how to go > about doing this > Because a compromised discovery document can result in the complete breakdown > in OpenID security – it’s important that we find ways to increase the > security of discovery – perhaps it can be signed? Moved into DNS? > Discovery is hard to implement – the majority of the code in OpenID libraries > is to implement discovery. We can probably simplify discovery to require less > code to implement > Delegation is a really useful feature in OpenID – it was pretty > straightforward in OpenID 1.1, but is very confusing (to say the least) in > OpenID 2.0 – we can probably do something in discovery to make delegation > work better > The infamous NASCAR problem could possibly be helped by discovery > The infamous phishing problem could also possibly be helped by discovery > LRDD, host-meta, and webfinger are pretty interesting – we should see how > OpenID can leverage these new specs > > I’m sure that there are more issues with OpenID 2.0 discovery. Anyone else > want to take a stab at it? > > Allen > > > On 5/21/10 7:55 PM, "Johannes Ernst" <[email protected]> wrote: > >> On May 21, 2010, at 19:28, Allen Tom wrote: >> >>> ... there’s universal consensus that the existing OpenID 2.0 discovery >>> mechanism is very deficient ... >> >> Is there a summary somewhere of this "universal consensus" of deficiencies? >> >> Thanks, >> >> >> Johannes Ernst >> NetMesh Inc. >> >> >> >>
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
