[OIDFSC] OpenID v.Next Discovery Working Group Proposal
Allen Tom
atom at yahoo-inc.com
Mon May 24 01:56:35 UTC 2010
Hi Johannes,
There isn¹t a document summarizing the deficiencies with OpenID 2.0
discovery I think it would be very useful for the WG and for the Community
if we wrote this down
Off the top of my head, some of the problems are:
* Yadis discovery is very vague as to exactly how the RP is supposed to
fetch the OP¹s discovery document. Should it send the magic Accept header?
Look for the X-XRDS-Location header in the response? Do HTML discovery? In
practice, many implementers have had problems implementing discovery because
there are too many ways to do it
* Speaking of Yadis, the specs need to be revised, and it¹s unclear how to
go about doing this
* Because a compromised discovery document can result in the complete
breakdown in OpenID security it¹s important that we find ways to increase
the security of discovery perhaps it can be signed? Moved into DNS?
* Discovery is hard to implement the majority of the code in OpenID
libraries is to implement discovery. We can probably simplify discovery to
require less code to implement
* Delegation is a really useful feature in OpenID it was pretty
straightforward in OpenID 1.1, but is very confusing (to say the least) in
OpenID 2.0 we can probably do something in discovery to make delegation
work better
* The infamous NASCAR problem could possibly be helped by discovery
* The infamous phishing problem could also possibly be helped by discovery
* LRDD, host-meta, and webfinger are pretty interesting we should see how
OpenID can leverage these new specs
I¹m sure that there are more issues with OpenID 2.0 discovery. Anyone else
want to take a stab at it?
Allen
On 5/21/10 7:55 PM, "Johannes Ernst" <jernst+openid.net at netmesh.us> wrote:
> On May 21, 2010, at 19:28, Allen Tom wrote:
>
>> ... there¹s universal consensus that the existing OpenID 2.0 discovery
>> mechanism is very deficient ...
>
> Is there a summary somewhere of this "universal consensus" of deficiencies?
>
> Thanks,
>
>
> Johannes Ernst
> NetMesh Inc.
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100523/5343f0eb/attachment.html>
More information about the specs
mailing list