On 25-Sep-06, at 5:31 PM, Brad Fitzpatrick wrote: > On Mon, 25 Sep 2006, Dick Hardt wrote: > >> If this is the case (David Fuelling's summary) then backwards >> compatibility of the spec is not needed. If backwards compatibility >> is required, then the 2.0 spec can just say that 1.1 must also be >> supported. >> >> Although the spec may require systems to be backwards compatible, I >> would argue that should be a choice of the site and not forced. An RP >> may be concerned about supporting aspects of 1.1 due to replay >> attacks etc., > > And IdP can be resistant to replay attacks without 2.0.
It is the RP that has the replay problem. How do you resolve replay with 1.1 without a nonce? > The Perl > libraries for 1.x already do nonces. But that is not in the 1.1 spec. Important to separate implementation from spec. > Likewise, I haven't looked into it thoroughly, but I imagine people > can do > bad nonces with 2.0. once again, implementation is different then the spec > >> I would predict though that most sites will support both 1.1 and 2.0 > > One would hope. > > I'm not sure I'd predict that, though. > > If there's two specs that differ so much that all they share is a > name, I > predict you'd only support enough to make it work with the major > site or > sites you care about. agreed -- but the driver is likely the spec that supports the features you want Clearly 1.1 supports everything you want for LJ, since you designed it! > Which is why I'd like to keep LiveJournal at 1.x for the time being... > because hopefully people care enough about LiveJournal's mass that > they'll > consider 1.x important. And/or the 2.x designers recognize that > big sites > (at least LiveJournal) will remain 1.x, so they'll do everything > possible > to make sure 2.x isn't different just to be different, but has > really good > reasons, and stays 1.x-interoperable with minimal pain to those > having to > implement it. I am all for NOT making things different just to be different. There are many, many people waiting on the sidelines for 2.0 so that they get the features they want like attribute exchange. But you are correct, who knows for sure what will happen. But if we keep moving at this pace, people may get bored/frustrated and move on. :-) -- Dick _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
