[OpenID] Yahoo! supporting OpenID 2.0 but not 1.1

Allen Tom atom at yahoo-inc.com
Fri Jan 18 17:21:29 PST 2008

Hi everybody,

OpenID 2.0 has several important security and usability improvements 
over OpenID 1.1:

1) Security issues - A security issue with 1.1 was reported to the list: 
http://openid.net/pipermail/security/2007-February/000241.html and was 
resolved by defining RP Discovery in Section 13 of the OpenID 2.0 spec. 
Another oversight in 1.1 was the ability to send associations in the 
clear without requiring HTTPS.

2) Identifier Recycling - Large OPs with millions of accounts may want 
to recycle desirable OpenID identifiers that belong to inactive 
accounts. OpenID 2.0 defines a mechanism to indicate an OpenID 
generation identifier using URL fragments appended to the base OpenID 
URL. (Section 11.5.1)

3) Usability - Typing in your OpenID URL to initiate the sign in process 
is a strange concept for the uninitiated. I certainly admit to thinking 
that URL-based identifiers were really weird when I first heard about 
them. In OpenID 2.0, users only need to identify their OP to start the 
signin process, without having to know their OpenID URL. Users can just 
type in "blogger.com" or click on a "Sign-in with Vidoop"  button to 
login. Because users don't even need to know their OpenID URL, an 
auto-generated identifier could be created for them.

These improvements in the new OpenID 2.0 spec are needed for widespread 
OpenID adoption.


André Luís wrote:
> Should we interpret this as a strong support for OpenID 2.0 on behalf
> of Yahoo! but a strong distrust for OpenID 1.1

More information about the general mailing list