[OpenID] Yahoo! supporting OpenID 2.0 but not 1.1
Allen Tom
atom at yahoo-inc.com
Fri Jan 18 17:21:29 PST 2008
Hi everybody,
OpenID 2.0 has several important security and usability improvements
over OpenID 1.1:
1) Security issues - A security issue with 1.1 was reported to the list:
http://openid.net/pipermail/security/2007-February/000241.html and was
resolved by defining RP Discovery in Section 13 of the OpenID 2.0 spec.
Another oversight in 1.1 was the ability to send associations in the
clear without requiring HTTPS.
2) Identifier Recycling - Large OPs with millions of accounts may want
to recycle desirable OpenID identifiers that belong to inactive
accounts. OpenID 2.0 defines a mechanism to indicate an OpenID
generation identifier using URL fragments appended to the base OpenID
URL. (Section 11.5.1)
3) Usability - Typing in your OpenID URL to initiate the sign in process
is a strange concept for the uninitiated. I certainly admit to thinking
that URL-based identifiers were really weird when I first heard about
them. In OpenID 2.0, users only need to identify their OP to start the
signin process, without having to know their OpenID URL. Users can just
type in "blogger.com" or click on a "Sign-in with Vidoop" button to
login. Because users don't even need to know their OpenID URL, an
auto-generated identifier could be created for them.
These improvements in the new OpenID 2.0 spec are needed for widespread
OpenID adoption.
Allen
André Luís wrote:
> Should we interpret this as a strong support for OpenID 2.0 on behalf
> of Yahoo! but a strong distrust for OpenID 1.1
More information about the general
mailing list