[OpenID] is openid 2.0 a lightweight identity system?

David Fuelling sappenin at gmail.com
Thu Feb 8 16:09:33 UTC 2007

Hey Rob,

Great post, and great questions.  I think you have the right idea in terms
of making the spec simpler.  However, OpenId has an interesting history in
that it is community-based combination of several different (and previously
competing) "ways of doing" url-based identity.  Just 12 months ago, the
community was not so unified!!

>From my perspective, OpenId is "what it is" today because all of these
competing identity systems decided to merge.  The con here is that perhaps
we have too much in the spec.  The pro is that we have a unified approach
now -- everybody is on board with one single spec: OpenId 2.0.

My $0.02.


> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of rob
> Sent: Thursday, February 08, 2007 10:29 AM
> To: general at openid.net
> Subject: [OpenID] is openid 2.0 a lightweight identity system?
> I took a look at the Openid Authentication 2.0 spec for the first time
> recently.  I thought it would be as simple as either the original openid
> spec or the DIX spec (hacked up my own DIX implementation in a day or
> two, loved it)
> However 2.0 now seems to be a merger of these two specs. with a sprinkle
> of "xri" just for good measure. What this has produced is not as
> intuitive as either of its predecessors and I wonder whether it can
> still coin the phrase "lightweight".
> If I am understanding this new spec correctly to implement support from
> scratch an rp needs to understand openid (currently 56 pages), yadis
> resolution (22 pages), xri resolution (currently 74 pages) and probably
> xri's themselves (33 pages).  This no longer seems like a lightweight
> identity system to me (and there is no way I could now hack a complete
> system (op and rp) together in a few days).
> I understand the trade offs and compromises that need to be made during
> a specs development, but has it drifted away from what I thought was its
> initial mandate, namely to provide a lightweight, i.e. easy to implement
> from scratch, federated identity system (we already have SAML).
> Anyway, a couple questions for you all,
> Does openid really need two optional ways of verifying the signatures
> i.e. shared secret and direct request, can't we just pick one?
> Does openid really need to support xri identifiers in the core, can't
> this be separated? This would remove 107 pages of additional
> specification reading and reduce the size of the openid spec.
> I hope this e-mail isn't viewed as negative, I just hadn't looked at
> what had been happening recently and wanted to pass on my gut reaction
> to the new spec.  I also see that a lot of this has been debated on the
> mailing list before so apologies for rehashing old ground.
> Rob
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list