[OpenID] is openid 2.0 a lightweight identity system?

Martin Atkins mart at degeneration.co.uk
Fri Feb 9 08:05:14 UTC 2007

Robert Yates wrote:
> For example, how much resistance would there actually be to removing
> "Diffie-Hellman Associations" and instead always relying upon a
> "Direct Request".  If folks really want to use associations they can
> always fall back to openid 1.1 which "should" be supported by all
> parties anyway.

The Diffie-Hellman Associations were added because of possible attacks 
on the 1.0 variation on direct request authorization.

I think if either were to go, it'd be direct request. It's really only 
still there to support RPs that are unable to store any state and thus 
can't maintain an assocation. Making *those* RPs fall back to OpenID 1.1 
could be a reasonable option, since they should be in the minority anyway.

More information about the general mailing list