It isn't super hard at least for the IdP that are using a single xrds template for all of there users.
The 12 people who use delegation will be messed up, but they can move to another openID 2.0 provider. The RP needs to do the extra verification step on the XRDS is the only real extra work. It is certainly doable, and as I say probably needs to be done for http -> https migration anyway. It would be nice if we standardized a way for the users page to point back to the OP as being authoritative for it, assuming that OP actually verify the page in some way. It is simple if it is all controlled by the OP but if they let people enter contact pages on 3rd parties it gets interesting. Perhaps a rel me to there openID connect URI? It needs thinking through, hopefully before going into production. I don't see it as insurmountable but not something that is trivial. The devil is in the details. John B. On 2010-05-25, at 10:00 PM, Allen Tom wrote: > Hi John - > > Isn't adding a new "OpenID Connect/OpenID 2.0 migration" service to the > OpenID 2.0 identifier's discovery document fairly easy? > > Allen > > > On 5/25/10 6:44 PM, "John Bradley" <[email protected]> wrote: > >> Allen, >> >> Simply passing the old identifier as an attribute is not enough on it's own, >> for account migration. >> The RP will need to confirm the OP is actually authoritative in some way. We >> would need to add a service to the old XRDS to say that the new endpoint is >> authoritative for openID Connect and have the RP do an extra discovery step, >> or something similar. > _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
