[OpenID] is openid 2.0 a lightweight identity system?

rob robyates70 at gmail.com
Thu Feb 8 15:29:14 UTC 2007

I took a look at the Openid Authentication 2.0 spec for the first time 
recently.  I thought it would be as simple as either the original openid 
spec or the DIX spec (hacked up my own DIX implementation in a day or 
two, loved it)

However 2.0 now seems to be a merger of these two specs. with a sprinkle 
of "xri" just for good measure. What this has produced is not as 
intuitive as either of its predecessors and I wonder whether it can 
still coin the phrase "lightweight".

If I am understanding this new spec correctly to implement support from 
scratch an rp needs to understand openid (currently 56 pages), yadis 
resolution (22 pages), xri resolution (currently 74 pages) and probably 
xri's themselves (33 pages).  This no longer seems like a lightweight 
identity system to me (and there is no way I could now hack a complete 
system (op and rp) together in a few days).

I understand the trade offs and compromises that need to be made during 
a specs development, but has it drifted away from what I thought was its 
initial mandate, namely to provide a lightweight, i.e. easy to implement 
from scratch, federated identity system (we already have SAML).

Anyway, a couple questions for you all,

Does openid really need two optional ways of verifying the signatures 
i.e. shared secret and direct request, can't we just pick one?
Does openid really need to support xri identifiers in the core, can't 
this be separated? This would remove 107 pages of additional 
specification reading and reduce the size of the openid spec.

I hope this e-mail isn't viewed as negative, I just hadn't looked at 
what had been happening recently and wanted to pass on my gut reaction 
to the new spec.  I also see that a lot of this has been debated on the 
mailing list before so apologies for rehashing old ground.


More information about the general mailing list