Difference between 1.0 and 1.1

2008-03-12 Thread techtonik
Hi.

What is the difference between OpenID authentication version 1.0 and 1.1?
We need some arguments to switch preferable backwards compatibility scheme
from 1.0 to 1.1 in Drupal. Looks like there is no way to detect which
version of these two is used in case of HTML delegation and this causes
problems between Drupal 5 and Blogger, because Drupal chooses 1.0 in this
case.

WBR,

-- 
--anatoly t.
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Difference between 1.0 and 1.1

2008-03-12 Thread John Ehn
Anatoly,

1.0 was an informal specification, so it was prone to ambiguities.
1.1solved the majority of these problems, as it is clearer which
aspects of the
specification are optional and mandatory.

As far as I know, OpenID 1.1 is what all consumers should be supporting at
this point.

Thanks,

John Ehn
extremeswank.com


On 3/12/08, techtonik [EMAIL PROTECTED] wrote:

 Hi.

 What is the difference between OpenID authentication version 1.0 and 1.1?
 We need some arguments to switch preferable backwards compatibility scheme
 from 1.0 to 1.1 in Drupal. Looks like there is no way to detect which
 version of these two is used in case of HTML delegation and this causes
 problems between Drupal 5 and Blogger, because Drupal chooses 1.0 in this
 case.

 WBR,

 --
 --anatoly t.
 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs


___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Difference between 1.0 and 1.1

2008-03-12 Thread techtonik
So, if I understand correctly there is no way for consumer to detect which
version - 1.0 or 1.1 is used in HTML delegation case, because delegation
tags are the same, i.e.

link rel=openid.server href=http://www.livejournal.com/openid/server.bml

link rel=openid.delegate href=http://exampleuser.livejournal.com/;
so in my case Drupal consumer decides that either 1.0 or 1.1 version of
specification is used and makes a request to OpenID server with
openid.nsset to either 
http://openid.net/signon/1.1; or http://openid.net/signon/1.0;. But
1.1OpenID server doesn't know anything about
openid.ns, because it was added only in 2.0  Therefore server fails to
authenticate and this should be considered a bug in consumer, which should
not send openid.ns at all. If everything above is right then where is the
logic and what are the reasons for consumer to send openid.ns=
http://openid.net/signon/1.1; at all?

Thank you.

On Wed, Mar 12, 2008 at 3:38 PM, John Ehn [EMAIL PROTECTED] wrote:

 Anatoly,

 1.0 was an informal specification, so it was prone to ambiguities.  1.1solved 
 the majority of these problems, as it is clearer which aspects of the
 specification are optional and mandatory.

 As far as I know, OpenID 1.1 is what all consumers should be supporting at
 this point.

 Thanks,

 John Ehn
 extremeswank.com


 On 3/12/08, techtonik [EMAIL PROTECTED] wrote:

  Hi.
 
  What is the difference between OpenID authentication version 1.0 and 1.1
  ?
  We need some arguments to switch preferable backwards compatibility
  scheme from 1.0 to 1.1 in Drupal. Looks like there is no way to detect
  which version of these two is used in case of HTML delegation and this
  causes problems between Drupal 5 and Blogger, because Drupal chooses 1.0in 
  this case.
 
  WBR,
 
  --
  --anatoly t.
  ___
  specs mailing list
  specs@openid.net
  http://openid.net/mailman/listinfo/specs
 
 



-- 
--anatoly t.
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Difference between 1.0 and 1.1

2008-03-12 Thread James Henstridge
On 12/03/2008, techtonik [EMAIL PROTECTED] wrote:
 So, if I understand correctly there is no way for consumer to detect which
 version - 1.0 or 1.1 is used in HTML delegation case, because delegation
 tags are the same, i.e.


 link rel=openid.server
 href=http://www.livejournal.com/openid/server.bml;
 link rel=openid.delegate
 href=http://exampleuser.livejournal.com/; so in my case
 Drupal consumer decides that either 1.0 or 1.1 version of specification is
 used and makes a request to OpenID server with openid.ns set to either
 http://openid.net/signon/1.1; or http://openid.net/signon/1.0;. But 1.1
 OpenID server doesn't know anything about openid.ns, because it was added
 only in 2.0  Therefore server fails to authenticate and this should be
 considered a bug in consumer, which should not send openid.ns at all. If
 everything above is right then where is the logic and what are the reasons
 for consumer to send openid.ns=http://openid.net/signon/1.1; at all?

OpenID 1.x messages do not contain an openid.ns field.  That field was
introduced in OpenID 2.0, and states that All messages in OpenID
Authentication 1.1 omit the openid.ns parameter.

If you are sending requests with openid.ns set to anything other than
http://specs.openid.net/auth/2.0; you are going to run into trouble.

James.
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Difference between 1.0 and 1.1

2008-03-12 Thread Brad Fitzpatrick
1.0 existed only for a few weeks in the wild (on LiveJournal) before
1.1spec came out.  If you're really curious, dig through the Perl
OpenID
libraries they're the only wants that ever spoke 1.0 and not 1.1.


2008/3/12 techtonik [EMAIL PROTECTED]:

 Hi.

 What is the difference between OpenID authentication version 1.0 and 1.1?
 We need some arguments to switch preferable backwards compatibility scheme
 from 1.0 to 1.1 in Drupal. Looks like there is no way to detect which
 version of these two is used in case of HTML delegation and this causes
 problems between Drupal 5 and Blogger, because Drupal chooses 1.0 in this
 case.

 WBR,

 --
 --anatoly t.
 ___
 specs mailing list
 specs@openid.net
 http://openid.net/mailman/listinfo/specs


___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Difference between 1.0 and 1.1

2008-03-12 Thread John Ehn
On 3/12/08, techtonik [EMAIL PROTECTED] wrote:

 So, if I understand correctly there is no way for consumer to detect which
 version - 1.0 or 1.1 is used in HTML delegation case, because delegation
 tags are the same, i.e.

 link rel=openid.server href=
 http://www.livejournal.com/openid/server.bml;
 link rel=openid.delegate href=http://exampleuser.livejournal.com/;
 so in my case Drupal consumer decides that either 1.0 or 1.1 version of
 specification is used and makes a request to OpenID server with openid.nsset 
 to either 
 http://openid.net/signon/1.1; or http://openid.net/signon/1.0;. But 
 1.1OpenID server doesn't know anything about
 openid.ns, because it was added only in 2.0  Therefore server fails to
 authenticate and this should be considered a bug in consumer, which should
 not send openid.ns at all. If everything above is right then where is the
 logic and what are the reasons for consumer to send openid.ns=
 http://openid.net/signon/1.1; at all?

 Thank you.



Just to add my 2 cents, that namespace was introduced so you can discover an
OpenID Server using XRI.  That would be in the XRDS document to advertise
that the OpenID Server supported a specific version of the spec.  Since
OpenID 2.0 incorporates the XRI feature (which was a sort of third-party
add-on to the OpenID 1.x spec), that namespace is still used.

But, like James said, you shouldn't use openid.ns with 2.0 anyway.

Thanks,

John Ehn
extremeswank.com
___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Re: Difference between 1.0 and 1.1

2008-03-12 Thread Kevin Turner
On Wed, 2008-03-12 at 16:28 +0200, techtonik wrote:
 But 1.1 OpenID server doesn't know anything about openid.ns, because
 it was added only in 2.0  Therefore server fails to authenticate and
 this should be considered a bug in consumer, which should not send
 openid.ns at all. If everything above is right then where is the logic
 and what are the reasons for consumer to send
 openid.ns=http://openid.net/signon/1.1; at all?

Yeah, we discovered that there are people sending openid.ns with v1
messages to myOpenID.  I think the case where this happens most is when
someone has set up their own page with version 1 style delegation, with
a openid.server link instead of openid2.provider.  Then you can get
a v2-capable RP talking to a v2-capable OP, but since the delegation
format is stale, they use v1 messages.  Whereas a real v1 OP may well
just ignore openid.ns, because it didn't exist, this ns-aware
v2-capable OP tries to inspect it to see what version it is...

and the fact that there are *two* namespaces in the v2 spec for v1
OpenID is sort of a disaster, but both of them are being used in this
way now.  (Drupal was sending whichever one I wasn't expecting...)


___
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs