The nonce parameter has already been renamed to response_nonce (see draft 10) and I do not see the need for a request nonce within the protocol. See prior discussion on that.
There is nothing dictating it will be an extension forever. I don't see it being responsible adding it to the core specification at this point while questions of how to handle age around multiple factors of authentication, representing the type(s) of authentication used, or "authentication" on account creation (captcha, SMS, email, etc) are still rampant. Two identifiers are far more verbose and clear, but there is also plenty of discussion on this. As I said back in September, I'm only tracking proposals listed on the wiki page. :) --David -----Original Message----- From: Dick Hardt [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 17, 2006 12:25 PM To: Recordon, David Cc: Josh Hoyt; specs@openid.net Subject: Re: Summarizing Where We're At On 16-Oct-06, at 3:24 PM, Recordon, David wrote: > And here are my votes: > > Request nonce and name > * Take no action So you are saying to NOT rename the parameter? +1 rename nonce to response_nonce +1 to put request_nonce in an extension for RP identity related functionality > Authentication age > * -1, write as an extension first Hmmm, that seems different then what you wrote earlier. If it is an extension, it will be an extension forever. It is optional, and is part of auth. I am +1 it is in the spec. > > Remove setup_url > * 0 for removing, +1 for asking feedback from implementers > > Consolidated Delegation Proposal > * -1 on status quo (draft 10) > * 0 on single-identifier +1 > * +1 on two-identifier -1 -- two identifiers are redundant and confusing. 1.x spec only had one identifier. > > Change default session type > * +1 0 > > Bare request > * 0 +1 btw: I don't think we have all the issues here. _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs