[OpenID] is openid 2.0 a lightweight identity system?

Robert Yates robyates70 at gmail.com
Fri Feb 9 18:19:22 UTC 2007


Jonathan,

many thanks for your detailed answers, it certainly helps, but I am
still left wondering the advantages of full XRDS over Yadis.  Yadis
seems to define the necessary subset of XRDS required for the use
cases you outline below.  So what does the full XRDS support in openid
2.0 buy us over Yadis?

Thanks,

Rob

On 2/9/07, Jonathan Daugherty <cygnus at janrain.com> wrote:
> # 1. How XRDS helps OpenID grow beyond authentication.
>
> I think this is explained below.
>
> # 2. Why OpenID growing beyond authentication is a good idea - what
> # kind of additional problems does that let us solve?
>
> Early on, some people understood that sending an identifier in the
> OpenID messages was a specific case of the more general signed message
> case.  With the identifier now optional, the OpenID protocol itself
> can be used more generically.  People come up with all sorts of
> contrived use cases for this, but one example is a case where an RP
> wants a signed assertion that the user is, say, at least 21 years of
> age, and in that case no identifier or authentication is pertinent per
> se.  You get an assertion (and for the sake of argument, assume it's
> signed by a trusted authority so you know it has value), but it might
> not have anything to do with whether the RP needs to know the user's
> identifier.
>
> # 3. Why can't those problems be solved as separate extensions to the
> # OpenID spec? Is it really necessary for XRDS to be in core OpenID -
> # does it act as a kind of plug-in mechanism without which extending
> # OpenID would be significantly less likely to achieve consensus, for
> # example?
>
> The problems can be solved using separate extensions, but XRDS lets
> identifier URLs advertise to RPs the extensions and/or services
> supported by OPs.  It's also true that XRDS isn't necessary to use
> such extensions, but it does help provide some clarity to an RP when
> constructing a request.  (In the case of Simple Registration, people
> usually just stuff the openid.sreg parameters in the request and see
> if anything comes back, but the Right Way is to only bother sending
> them if the sreg service type is found in the OP's corresponding
> Service element.)
>
> # I'll be completely honest here: I don't understand what "service
> # type" or "service" actually means. The OpenID 2.0 spec doesn't help
> # me here - as far as I can tell, a "service" is anything that fits in
> # an <xrd:Service> element.
>
> Empirically, an xrd:Service element needs to contain two things: a
> service URI and a service type URI.  Optionally, the element can
> express the priority of the described service in the context of the
> entire XRDS document.  It may also contain other information specific
> to the type URI in use, such as the OpenID OP-local ID.
>
> The service URI's purpose is up to the service type authors and should
> be specified accordingly.
>
> A service is essentially whatever you want it to be.  There has been a
> lot of debate (or misunderstanding?) around what a service actually
> *is* and what its properties ought to be (i.e., what a Service element
> maps to in reality).  Generally speaking, a service type is a URI used
> to indicate the support of (or desired use of) a given service, whose
> functionality is out of scope for OpenID.  It's just a form of
> advertisement.
>
> Some examples are 1) list OpenID OP services to support fallback in
> case one goes offline, 2) advertise a public key using a well-defined
> service type URI, or 3) advertise a photo-sharing service compliant to
> some photo-fetching protocol, say.
>
> # I'm now three specs in and I still don't know what a service is! I'm
> # obviously missing something critically important here.
>
> Maybe my explanation helped.  Johannes, Drummond, and others may have
> more to offer.
>
> Thanks for asking these questions.
>
> --
>   Jonathan Daugherty
>   JanRain, Inc.
>   irc.freenode.net: cygnus in #openid
>   cygnus.myopenid.com
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>



More information about the general mailing list