Server-to-server channel

Anders Feder lists.anders at feder.dk
Tue Apr 3 13:18:22 UTC 2007


Johnny Bufu wrote:
> This is basically a push approach, as opposed to the pull approach  
> you were suggesting.

I'm new to OpenID, and no engineer, but I have to say that I have a bad 
feeling about this 'push' approach. It inverts the relationship between 
client and server and seems entirely contrary to the stateless spirit of 
the Web:

* The RP can't know the status of the information it is working with - 
it just have to assume that the attributes it has in store are up-to-date.
* If an OP fails to update an attribute, the RP will never know - no 
fall-backs can be implemented.
* When updating, the OP impose a previous address structure upon the 
Web, regardless of how it is actually organized now.
* While the RP's requests the information, the OP is made responsible 
for doing the work associated with distributing it.
* The OP must donate storage space to support the distribution of 
information to RP's it has no direct interest in. A malicious RP may 
even exploit this storage space for own purposes.
* Attributes are not easily referenced to, say, sub-contractors of an 
RP. The model impose limits upon the complexity of the services that may 
be derived from it.


Regards,
Anders Feder



More information about the specs mailing list