Final outstanding issues with the OpenID 2.0 Authenticationspecification

Recordon, David drecordon at
Thu May 17 10:40:58 PDT 2007

I've now committed a patch to remove associations in the clear, please
review commit 324.


-----Original Message-----
From: specs-bounces at [mailto:specs-bounces at] On
Behalf Of Josh Hoyt
Sent: Thursday, May 17, 2007 9:26 AM
To: OpenID specs list
Subject: RFC: Final outstanding issues with the OpenID 2.0

OpenID 2.0 has been a work in progress for a long time. The
specification has been largely at a stand-still for long enough for
people to implement it, and even deploy it. At the Internet Identity
Workshop for the past few days, I've been talking to the people from the
OpenID community about what is getting in the way of calling the spec
final. I'm sending this message to summarize what I've heard, get
comments from those of you who aren't here at this conference, and
hopefully establish a concrete plan of action that will get the spec

In the conversations that I've had, there are four issues that are
holding up people's approval of the specification. These issues are not
new, but I'm going to list them here:

 1. Identifier recycling. There are two different use cases for
    identifier recycling. The first, and the one that most people who
    I have talked to really want to solve is that of a large provider
    that wants to allow re-use of parts of its namespace. The second
    is if a user wants to relinquish control of an identifier without
    relinquishing control of the places that they have used this
    identifier. A concrete example of this is if I ever choose to stop
    paying for

 2. Realm spoofing. This encompasses the attacks that Allen Tom has
    described (using redirectors, proxies or XSS attacks) that create
    new phishing opportunities and make certain types of phishing even

 3. Associations in the clear. While the OpenID 2 specification
    specifically allows a provider to refuse to perform associations
    in the clear (no Diffie-Hellman or SSL), there is consensus that
    the specification should disallow these associations. This one's

 4. Reference to unfinished XRI specification. For resolving XRI and
    the protocol formerly known as Yadis (XRDS discovery for URLs),
    we're referring to a working draft specification. We can't leave
    the final spec referring to the draft.

If these four issues are resolved, can we call the OpenID 2.0
Authentication specification done? Speak up if you have any other

specs mailing list
specs at

More information about the specs mailing list