[OpenID] is openid 2.0 a lightweight identity system?
drecordon at verisign.com
Fri Feb 9 19:58:51 UTC 2007
Quick answer from my perspective, but Yadis lets you say I support
OpenID Authentication 1.1 and the OpenID Simple Registration Extension
1.0. Without it, how do you know what extensions the OP supports
without adding a bunch of link tags?
It also allows the discovery document (XRDS) to be fetched via semantics
in the HTTP request, making it easier for a large organization to deploy
OpenID versus having to insert HTML markup on every page.
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Simon Willison
Sent: Friday, February 09, 2007 12:19 AM
To: Johannes Ernst
Cc: general at openid.net
Subject: Re: [OpenID] is openid 2.0 a lightweight identity system?
On 2/9/07, Johannes Ernst <jernst+openid.net at netmesh.us> wrote:
> This is a misunderstanding. XRDS is crucial if OpenID ever wants to
> grow beyond authentication, because it captures the meta-data that's
> needed to say which service types are available and where for a given
> identifier (aka OpenID URL).
That's exactly the kind of answer I was looking for. Now help me
1. How XRDS helps OpenID grow beyond authentication.
2. Why OpenID growing beyond authentication is a good idea - what kind
of additional problems does that let us solve?
3. Why can't those problems be solved as separate extensions to the
OpenID spec? Is it really necessary for XRDS to be in core OpenID - does
it act as a kind of plug-in mechanism without which extending OpenID
would be significantly less likely to achieve consensus, for example?
One of my favourite things about the original OpenID spec was that it
took one very small problem - authentication over the Web - and /just/
solved that, in the same vein as the Unix philosophy of building small
tools that only do one thing.
The first paragraph of the OpenID 2.0 spec states the following:
OpenID Authentication provides a way to prove that an end user controls
an Identifier. It does this without the Relying Party needing access to
end user credentials such as a password or to other sensitive
information such as an email address.
There's nothing there about growing beyond authentication or meta-data
about service types. I'll be completely honest here: I don't understand
what "service type" or "service" actually means. The OpenID 2.0 spec
doesn't help me here - as far as I can tell, a "service" is anything
that fits in an <xrd:Service> element.
The YADIS spec has an implementor's glossary, but isn't actually any
more useful as it recursively defines a "Service" as "A service provided
by a Yadis Resource" and a "Yadis Resource" as "A computer software
process (or system of processes) that provides oneYadis Protocol".
The XRI Resolution spec does only slightly better, defining "Service
Endpoints" as "descriptors of concrete URIs at which network services
are available for the target resource".
I'm now three specs in and I still don't know what a service is! I'm
obviously missing something critically important here.
Since I don't like complaining about things without at least trying to
offer a solution, here are my first proposed questions for an OpenID
1. When the OpenID / Yadis / XRI Resolution specifications talk about a
"service", what do they mean? Are they all talking about the same
2. Why is XRDS a useful component of the OpenID 2.0 specification?
3. If XRDS' main function is to allow OpenID to grow beyond
authentication, how does that fit with the stated aim of solving just
one part of the overall authentication problem? Is that aim still part
of the OpenID philosophy?
Question 3 isn't really suitable for an FAQ, but I'd personally love to
know the answer. Maybe OpenID 2.0 needs an updated philosophy statement.
general mailing list
general at openid.net
More information about the general