[OpenID] is openid 2.0 a lightweight identity system?
mart at degeneration.co.uk
Fri Feb 9 08:05:14 UTC 2007
Robert Yates wrote:
> For example, how much resistance would there actually be to removing
> "Diffie-Hellman Associations" and instead always relying upon a
> "Direct Request". If folks really want to use associations they can
> always fall back to openid 1.1 which "should" be supported by all
> parties anyway.
The Diffie-Hellman Associations were added because of possible attacks
on the 1.0 variation on direct request authorization.
I think if either were to go, it'd be direct request. It's really only
still there to support RPs that are unable to store any state and thus
can't maintain an assocation. Making *those* RPs fall back to OpenID 1.1
could be a reasonable option, since they should be in the minority anyway.
More information about the general