[OpenID] On OpenID 2.0

Martin Atkins mart at degeneration.co.uk
Mon Apr 30 18:36:42 UTC 2007


ydnar wrote:
> On Apr 30, 2007, at 11:07 AM, Martin Atkins wrote:
> 
>> To be honest, it's been so long since I thought about the 2.0 spec  
>> that
>> I've forgotten what the full list of new stuff is. Off the top of my
>> head I can think of:
>>   * Directed identity aka "put in the URL of your IdP, not of you."
>>   * A formalized extension mechanism
> 
> These two are pretty significant--can they be implemented in a way  
> that’s backwards compatible with OpenID 1.x?
> 

Well, that was what I was asking... in my usual roundabout way. :)

However...

The formalized extension mechanism is really just a naming convention. 
Since extensions are optional by definition, there's no reason the 
convention couldn't be used against existing 1.1 clients... they'd just 
ignore the extension parameters.[1]

Directed identity is trickier, since it is useless unless the RPs 
change. I've never really been convinced that requiring RPs to cooperate 
with directed identity is a good idea anyway; it'd make much more sense 
to do this in a way that the RP can't tell that it's being fed a 
one-time identifier. That's a discussion for another thread, though. :)



[1] To remain compatible with existing implementations of sreg, everyone 
would have to retain the "sreg" namespace prefix as a convention, but 
that one special case is not a huge deal in my opinion.




More information about the general mailing list