[OpenID] is openid 2.0 a lightweight identity system?

Christopher St John ckstjohn at gmail.com
Thu Feb 8 19:25:30 UTC 2007

On 2/8/07, Bob Wyman <bob at wyman.us> wrote:
> On 2/8/07, rob <robyates70 at gmail.com> wrote:
> > [OpenID] 2.0 ... is not as intuitive as either of its
> > predecessors and I wonder whether it can still coin
> > the phrase "lightweight".
> When and why is "lightness" useful? If no one adopts a "lighter" spec has
> anything useful been accomplished? Is it useful in non-academic contexts to
> build or define systems that are easier to understand but that will never be
> used?

Having implemented substantial portions of WS-Security[1], I can
a couple advantages to lightweight spec

1) A lighter-weight spec is easier to implement completely and
correctly. This is conventionally considered to be a good thing
for a security spec.

2) A lighter-weight spec is easier to understand, and thus use
correctly. Incorrect usage of correct specs has, historically, been
considered a substantial security risk.

As far as making the maximum number of security vendors happy
by making the spec more complex goes... well, I understand the
politics, but that isn't, traditionally, what goes into a good system.

I've reviewed version 1 and am just now getting into the details of
version 2. I'm preliminarily alarmed and disappointed, but as I can't
claim deep understanding yet,  IANAL, YMMV, FWIW, etc, etc.


[1] WS-* is an absolute nightmare. Kitchen-sink approach,
all the warring spec-writers happy, users absolutely miserable.
Half-implemented, badly implemented, incorrectly implemented,
dozens of options, etc. Ugly stuff.

[2] Where lightweight is defined as "minimizing incorporating other
specs by reference" and "having a small number of optional portions"
as well as by sheer page count. You get the idea.

Christopher St. John

More information about the general mailing list