[OpenID] is openid 2.0 a lightweight identity system?
Christopher St John
ckstjohn at gmail.com
Thu Feb 8 19:25:30 UTC 2007
On 2/8/07, Bob Wyman <bob at wyman.us> wrote:
> On 2/8/07, rob <robyates70 at gmail.com> wrote:
> > [OpenID] 2.0 ... is not as intuitive as either of its
> > predecessors and I wonder whether it can still coin
> > the phrase "lightweight".
> When and why is "lightness" useful? If no one adopts a "lighter" spec has
> anything useful been accomplished? Is it useful in non-academic contexts to
> build or define systems that are easier to understand but that will never be
Having implemented substantial portions of WS-Security, I can
a couple advantages to lightweight spec
1) A lighter-weight spec is easier to implement completely and
correctly. This is conventionally considered to be a good thing
for a security spec.
2) A lighter-weight spec is easier to understand, and thus use
correctly. Incorrect usage of correct specs has, historically, been
considered a substantial security risk.
As far as making the maximum number of security vendors happy
by making the spec more complex goes... well, I understand the
politics, but that isn't, traditionally, what goes into a good system.
I've reviewed version 1 and am just now getting into the details of
version 2. I'm preliminarily alarmed and disappointed, but as I can't
claim deep understanding yet, IANAL, YMMV, FWIW, etc, etc.
 WS-* is an absolute nightmare. Kitchen-sink approach,
all the warring spec-writers happy, users absolutely miserable.
Half-implemented, badly implemented, incorrectly implemented,
dozens of options, etc. Ugly stuff.
 Where lightweight is defined as "minimizing incorporating other
specs by reference" and "having a small number of optional portions"
as well as by sheer page count. You get the idea.
Christopher St. John
More information about the general