Summarizing Where We're At

Recordon, David drecordon at verisign.com
Mon Oct 16 02:25:34 UTC 2006


Hi Chris,
The rush is that 2.0 has been in a drafting phase for almost six months
now, with draft five being posted at the end of June.  While we
certainly can continue taking the time to make everyone happy, we
ultimately will never have a finished specification.

Rather I think it is important to make sure the core features missing
from 1.1, and problems with it, have been addressed.  This will then
allow other proposals to be written as extensions as well as worked into
future versions.  As to the proposals I've listed in each of my summary
emails, I only work off of the proposals listed at
http://www.lifewiki.net/openid/OpenIDProposals as I said I would at the
end of September
(http://openid.net/pipermail/specs/2006-September/000129.html).

Not trying to be harsh, but if we don't put a stake in the ground and
move forward then 2.0 will never be finished.

--David

-----Original Message-----
From: Chris Drake [mailto:christopher at pobox.com] 
Sent: Sunday, October 15, 2006 7:09 PM
To: Recordon, David
Cc: specs at openid.net
Subject: Re: Summarizing Where We're At

Hi David,

What is the rush for?  There's a lot of unhappy people here due to
missing protocol elements.

I for one believe the lack of privacy considerations is an entire OpenID
"killer".

Is there a reason why you've omitted my IdP-initiated login proposal
from your short list (also known as "bookmark login url discovery")?

If you're not convinced of the importance of privacy - read your own IdP
home page: http://pip.verisignlabs.com/

 " Verify your identity without compromising your privacy with PIP,
   the personal identity management system from VeriSign. "

Verisign chose Privacy as *the* most important and critical feature that
their IdP should support - does your PIP service plan to *use* OpenID,
and if so, how do you propose to handle privacy problems (eg:
RP's collaborating about users behind their backs) ?

Imposing an arbitrary time limit will result in an incomplete spec.

Kind Regards,
Chris Drake


Monday, October 16, 2006, 5:28:52 AM, you wrote:

RD> So previously I had set the goal of the final draft coming out last 
RD> Friday, though we've missed that.  I'm resetting this bar to 
RD> Wednesday which means we need to wrap up discussion on proposals 
RD> where there is general consensus as well as accept that some 
RD> proposals will not make it into this version.  For all proposals, 
RD> unless there is general consensus they should be included by Tuesday
evening they will not be included.

RD> * Request Nonce and Name
RD>  - Has been partially implemented, openid.nonce -> 
RD> openid.response_nonce, no agreement on the need of a request nonce 
RD> specifically, rather discussion has evolved into allowing a RP to 
RD> pass "appdata" like in Yahoo's BBAuth.  No formal proposal on the 
RD> table yet, thus will not be included in this version.

RD> * Authentication Age
RD>  - Re-proposed today adding clarity in motivation, general consensus

RD> is needed to add to specification.

RD> * Remove setup_url
RD>  - Little discussion and no general consensus to do so.  Rather 
RD> seems asking for feedback from checkid_immediate implementers on the

RD> parameter would be beneficial at this time.

RD> * Consolidated Delegation Proposal
RD>  - Very active discussion, the only proposal I'm willing to stall 
RD> the spec for.  Seems very important a strong conceptual model is 
RD> created at this time.

RD> * Change Default session_type
RD>  - Proposed, no discussion yet.

RD> * Bare Request
RD>  - Proposed, no discussion yet.

RD> I also feel strongly that no new proposals, except to update 
RD> existing ones, should be considered for inclusion in this version.

RD> --David
RD> _______________________________________________
RD> specs mailing list
RD> specs at openid.net
RD> http://openid.net/mailman/listinfo/specs







More information about the specs mailing list