Server-to-server channel
Anders Feder
lists.anders at feder.dk
Tue Apr 3 13:18:22 UTC 2007
Johnny Bufu wrote:
> This is basically a push approach, as opposed to the pull approach
> you were suggesting.
I'm new to OpenID, and no engineer, but I have to say that I have a bad
feeling about this 'push' approach. It inverts the relationship between
client and server and seems entirely contrary to the stateless spirit of
the Web:
* The RP can't know the status of the information it is working with -
it just have to assume that the attributes it has in store are up-to-date.
* If an OP fails to update an attribute, the RP will never know - no
fall-backs can be implemented.
* When updating, the OP impose a previous address structure upon the
Web, regardless of how it is actually organized now.
* While the RP's requests the information, the OP is made responsible
for doing the work associated with distributing it.
* The OP must donate storage space to support the distribution of
information to RP's it has no direct interest in. A malicious RP may
even exploit this storage space for own purposes.
* Attributes are not easily referenced to, say, sub-contractors of an
RP. The model impose limits upon the complexity of the services that may
be derived from it.
Regards,
Anders Feder
More information about the specs
mailing list