Backwards compatibility

Dick Hardt dick at sxip.com
Mon Sep 25 19:18:33 UTC 2006


If this is the case (David Fuelling's summary) then backwards  
compatibility of the spec is not needed. If backwards compatibility  
is required, then the 2.0 spec can just say that 1.1 must also be  
supported.

Although the spec may require systems to be backwards compatible, I  
would argue that should be a choice of the site and not forced. An RP  
may be concerned about supporting aspects of 1.1 due to replay  
attacks etc., and an IdP may not want to support RPs that don't  
protect against replay attacks. It will likely be implemenatation  
dependent.

I would predict though that most sites will support both 1.1 and 2.0

-- Dick

On 25-Sep-06, at 12:05 PM, Recordon, David wrote:

> You're right, I believe what Josh meant was that OpenID 2.0 systems  
> MUST
> support the 1.1 message format.  Obviously differentiating between the
> message formats is possible, and the 2.0 format can be different than
> 1.1, but a requirement for a 2.0 implementation can be support for 1.1
> messages.
>
> --David
>
> -----Original Message-----
> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
> Behalf Of David Fuelling
> Sent: Sunday, September 24, 2006 3:58 PM
> To: 'Josh Hoyt'
> Cc: specs at openid.net
> Subject: RE: Backwards compatibility
>
> Josh,
>
> Just a point of clarification -- As worded, your #1 says that any  
> OpenId
> 2.0 message would work in any OpenId 1.1 system, which (from my
> perspective) implies that the 2.0 protocol cannot implement any
> (significant) message features that aren't defined in 1.1....which  
> would
> tend to imply that the two protocols are identical (since 1.1 is  
> already
> defined).
>
> Are you really meaning to ask the following instead:
>
> #1R: OpenId 2.0 systems MUST implement and support all of the messages
> in OpenId 1.1.
>
> #2R: It is possible for implementations to differentiate between  
> OpenID
> 1.1 and 2.0 and to construct appropriate messages. In essence, it's a
> different protocol, and #1R is not required.
>
>
>
> Thanks!
>
> David Fuelling
>
>> -----Original Message-----
>> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
>> Behalf Of Josh Hoyt
>> Sent: Wednesday, September 20, 2006 4:31 PM
>> To: specs at openid.net
>> Subject: Backwards compatibility
>>
>> When making and evaluating proposals, there have been many references
>> to backwards compatibility. I'm not sure that everyone has the same
>> idea what it means to be backwards compatible.
>>
>> There are at least two meanings that I can see:
>>
>> 1. Messages that are valid OpenID 2.0 messages are also valid OpenID
>> 1.1 messages
>>
>> 2. It is possible for implementations to differentiate between OpenID
>> 1.1 and 2.0 and to construct appropriate messages. In essence, it's a
>> different protocol.
>>
>> I've been focused on maintaining (1). How do you see it?
>>
>> Josh
>> _______________________________________________
>> specs mailing list
>> specs at openid.net
>> http://openid.net/mailman/listinfo/specs
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs
>
>




More information about the specs mailing list