RFC: Final outstanding issues with the OpenID 2.0 Authentication specification

Josh Hoyt josh at janrain.com
Thu May 17 16:25:30 UTC 2007 

OpenID 2.0 has been a work in progress for a long time. The
specification has been largely at a stand-still for long enough for
people to implement it, and even deploy it. At the Internet Identity
Workshop for the past few days, I've been talking to the people from
the OpenID community about what is getting in the way of calling the
spec final. I'm sending this message to summarize what I've heard, get
comments from those of you who aren't here at this conference, and
hopefully establish a concrete plan of action that will get the spec
finalized.

In the conversations that I've had, there are four issues that are
holding up people's approval of the specification. These issues are
not new, but I'm going to list them here:

 1. Identifier recycling. There are two different use cases for
    identifier recycling. The first, and the one that most people who
    I have talked to really want to solve is that of a large provider
    that wants to allow re-use of parts of its namespace. The second
    is if a user wants to relinquish control of an identifier without
    relinquishing control of the places that they have used this
    identifier. A concrete example of this is if I ever choose to stop
    paying for j3h.us.

 2. Realm spoofing. This encompasses the attacks that Allen Tom has
    described (using redirectors, proxies or XSS attacks) that create
    new phishing opportunities and make certain types of phishing even
    worse.

 3. Associations in the clear. While the OpenID 2 specification
    specifically allows a provider to refuse to perform associations
    in the clear (no Diffie-Hellman or SSL), there is consensus that
    the specification should disallow these associations. This one's
    easy.

 4. Reference to unfinished XRI specification. For resolving XRI and
    the protocol formerly known as Yadis (XRDS discovery for URLs),
    we're referring to a working draft specification. We can't leave
    the final spec referring to the draft.

If these four issues are resolved, can we call the OpenID 2.0
Authentication specification done? Speak up if you have any other
show-stoppers.

Josh

More information about the specs mailing list