[OIDFSC] OpenID v.Next Discovery Working Group Proposal

Allen Tom atom at yahoo-inc.com
Mon May 24 01:56:35 UTC 2010


Hi Johannes,

There isn¹t a document summarizing the deficiencies with OpenID 2.0
discovery ­ I think it would be very useful for the WG and for the Community
if we wrote this down

Off the top of my head, some of the problems are:

* Yadis discovery is very vague as to exactly how the RP is supposed to
fetch the OP¹s discovery document. Should it send the magic Accept header?
Look for the X-XRDS-Location header in the response? Do HTML discovery? In
practice, many implementers have had problems implementing discovery because
there are too many ways to do it
* Speaking of Yadis, the specs need to be revised, and it¹s unclear how to
go about doing this
* Because a compromised discovery document can result in the complete
breakdown in OpenID security ­ it¹s important that we find ways to increase
the security of discovery ­ perhaps it can be signed? Moved into DNS?
* Discovery is hard to implement ­ the majority of the code in OpenID
libraries is to implement discovery. We can probably simplify discovery to
require less code to implement
* Delegation is a really useful feature in OpenID ­ it was pretty
straightforward in OpenID 1.1, but is very confusing (to say the least) in
OpenID 2.0 ­ we can probably do something in discovery to make delegation
work better 
* The infamous NASCAR problem could possibly be helped by discovery
* The infamous phishing problem could also possibly be helped by discovery
* LRDD, host-meta, and webfinger are pretty interesting ­ we should see how
OpenID can leverage these new specs

I¹m sure that there are more issues with OpenID 2.0 discovery. Anyone else
want to take a stab at it?

Allen


On 5/21/10 7:55 PM, "Johannes Ernst" <jernst+openid.net at netmesh.us> wrote:

> On May 21, 2010, at 19:28, Allen Tom wrote:
> 
>> ... there¹s universal consensus that the existing OpenID 2.0 discovery
>> mechanism is very deficient ...
> 
> Is there a summary somewhere of this "universal consensus" of deficiencies?
> 
> Thanks,
> 
> 
> Johannes Ernst
> NetMesh Inc.
> 
> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100523/5343f0eb/attachment.html>


More information about the specs mailing list