On Nov 18, 2006, at 15:34, John Kemp wrote:
OpenID 1.1 did not have a large payload. We expect the payloads to be
much larger with OpenID 2.0.
I guess the payload size will vary according to the RP and IdP
implementations, no?
Yes. And so far the only need for large payload sizes that I have
seen relate to a still somewhat controversial spec that will only be
implemented by less than 100% of all RPs and IdPs (how far less we
can all guess).
Making something that has much broader appeal (auth) substantially
more restrictive because of the needs of another spec, that uses it,
and that may not even be implemented by everybody, sounds like an
architectural no-no to me. The obvious workaround: if that additional
spec only works with one of the several alternatives supported by the
auth spec, make the additional spec require to use that particular
mode (POST) only when it is used.
We will see if the JS requirement is an issue. I do not think it is
given what I know now.
Well, admittedly, if no-one except me thinks that redirects should be
supported in OpenID 2.0, then I certainly expect to lose that
argument ;)
This whole discussion sounds it's on the wrong foot to me in any
case. From my perspective, something is seriously wrong with an URL-
based protocol for authentication that works for one HTTP verb (POST)
but not for any other.
So, John, you certainly aren't the only one who thinks this way.
Johannes Ernst
NetMesh Inc.
http://netmesh.info/jernst
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
