When it comes to delegation, it probably is the discovery service that
has to turn the user supplied identifier to a persistent identifier.
Unfortunately, it is not done so right now, and it is the authentication
service that does it.
If we really need the delegation feature, this is one of the thing that
we should probably be addressing as well.
Please see also a series of blog entries :
http://www.sakimura.org/en/search.php?query=Discovery&action=results
<http://us1.sakimura.org/en/search.php?query=Discovery&action=results>
Cheers,
=nat
(2010/05/24 10:56), Allen Tom wrote:
Hi Johannes,
There isn't a document summarizing the deficiencies with OpenID 2.0
discovery -- I think it would be very useful for the WG and for the
Community if we wrote this down
Off the top of my head, some of the problems are:
* Yadis discovery is very vague as to exactly how the RP is
supposed to fetch the OP's discovery document. Should it send
the magic Accept header? Look for the X-XRDS-Location header in
the response? Do HTML discovery? In practice, many implementers
have had problems implementing discovery because there are too
many ways to do it
* Speaking of Yadis, the specs need to be revised, and it's
unclear how to go about doing this
* Because a compromised discovery document can result in the
complete breakdown in OpenID security -- it's important that we
find ways to increase the security of discovery -- perhaps it
can be signed? Moved into DNS?
* Discovery is hard to implement -- the majority of the code in
OpenID libraries is to implement discovery. We can probably
simplify discovery to require less code to implement
* Delegation is a really useful feature in OpenID -- it was pretty
straightforward in OpenID 1.1, but is very confusing (to say the
least) in OpenID 2.0 -- we can probably do something in
discovery to make delegation work better
* The infamous NASCAR problem could possibly be helped by discovery
* The infamous phishing problem could also possibly be helped by
discovery
* LRDD, host-meta, and webfinger are pretty interesting -- we
should see how OpenID can leverage these new specs
I'm sure that there are more issues with OpenID 2.0 discovery. Anyone
else want to take a stab at it?
Allen
On 5/21/10 7:55 PM, "Johannes Ernst" <[email protected]> wrote:
On May 21, 2010, at 19:28, Allen Tom wrote:
... there's universal consensus that the existing OpenID 2.0
discovery mechanism is very deficient ...
Is there a summary somewhere of this "universal consensus" of
deficiencies?
Thanks,
Johannes Ernst
NetMesh Inc.
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
--
Nat Sakimura ([email protected])
Nomura Research Institute, Ltd.
Tel:+81-3-6274-1412 Fax:+81-3-6274-1547
????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
PLEASE READ:
The information contained in this e-mail is confidential and intended for the
named recipient(s) only.
If you are not an intended recipient of this e-mail, you are hereby notified
that any review, dissemination, distribution or duplication of this message is
strictly prohibited. If you have received this message in error, please notify
the sender immediately and delete your copy from your system.
_______________________________________________
specs mailing list
[email protected]
http://lists.openid.net/mailman/listinfo/openid-specs
