I agree with Martin. I believe that AX is the correct solution in the
long run, but given that there appears to be more SREG implementations
currently in the wild, we should update it to make it useful for sites
that want to use it.
The other factor is that our lawyers feel very strongly that the user
should have the opportunity to read the RP's privacy policy before
authorizing any data exchange, and only SREG has the ability to do this
automatically. The alternative would be to use OAuth, and require RPs to
pre-register with Yahoo and provide their privacy policy and/or agree to
a ToS before using our OP.
Allen
Martin Atkins wrote:
I agree that having both is not ideal, but I also feel strongly that
we need to have a good SREG 1.1 spec because in practice today there
are lots of SREG implementations and it is important to be able to
interoperate with them even if in the long term we'd like to move to AX.
This is, incidentally, why I was previously proposing forming an SREG
group whose task is *only* to fix the spec to reflect current
practice. This should encourage SREG interop in the short term while
new developments to AX will encourage a move to AX in the longer term.
_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs
