[OpenID] On OpenID 2.0
Martin Atkins
mart at degeneration.co.uk
Mon Apr 30 18:36:42 UTC 2007
ydnar wrote:
> On Apr 30, 2007, at 11:07 AM, Martin Atkins wrote:
>
>> To be honest, it's been so long since I thought about the 2.0 spec
>> that
>> I've forgotten what the full list of new stuff is. Off the top of my
>> head I can think of:
>> * Directed identity aka "put in the URL of your IdP, not of you."
>> * A formalized extension mechanism
>
> These two are pretty significant--can they be implemented in a way
> that’s backwards compatible with OpenID 1.x?
>
Well, that was what I was asking... in my usual roundabout way. :)
However...
The formalized extension mechanism is really just a naming convention.
Since extensions are optional by definition, there's no reason the
convention couldn't be used against existing 1.1 clients... they'd just
ignore the extension parameters.[1]
Directed identity is trickier, since it is useless unless the RPs
change. I've never really been convinced that requiring RPs to cooperate
with directed identity is a good idea anyway; it'd make much more sense
to do this in a way that the RP can't tell that it's being fed a
one-time identifier. That's a discussion for another thread, though. :)
[1] To remain compatible with existing implementations of sreg, everyone
would have to retain the "sreg" namespace prefix as a convention, but
that one special case is not a huge deal in my opinion.
More information about the general
mailing list