[OIDFSC] OpenID v.Next Discovery Working Group Proposal
Nat Sakimura
n-sakimura at nri.co.jp
Mon May 24 02:56:04 UTC 2010
When it comes to delegation, it probably is the discovery service that
has to turn the user supplied identifier to a persistent identifier.
Unfortunately, it is not done so right now, and it is the authentication
service that does it.
If we really need the delegation feature, this is one of the thing that
we should probably be addressing as well.
Please see also a series of blog entries :
http://www.sakimura.org/en/search.php?query=Discovery&action=results
<http://us1.sakimura.org/en/search.php?query=Discovery&action=results>
Cheers,
=nat
(2010/05/24 10:56), Allen Tom wrote:
> Hi Johannes,
>
> There isn't a document summarizing the deficiencies with OpenID 2.0
> discovery -- I think it would be very useful for the WG and for the
> Community if we wrote this down
>
> Off the top of my head, some of the problems are:
>
> * Yadis discovery is very vague as to exactly how the RP is
> supposed to fetch the OP's discovery document. Should it send
> the magic Accept header? Look for the X-XRDS-Location header in
> the response? Do HTML discovery? In practice, many implementers
> have had problems implementing discovery because there are too
> many ways to do it
> * Speaking of Yadis, the specs need to be revised, and it's
> unclear how to go about doing this
> * Because a compromised discovery document can result in the
> complete breakdown in OpenID security -- it's important that we
> find ways to increase the security of discovery -- perhaps it
> can be signed? Moved into DNS?
> * Discovery is hard to implement -- the majority of the code in
> OpenID libraries is to implement discovery. We can probably
> simplify discovery to require less code to implement
> * Delegation is a really useful feature in OpenID -- it was pretty
> straightforward in OpenID 1.1, but is very confusing (to say the
> least) in OpenID 2.0 -- we can probably do something in
> discovery to make delegation work better
> * The infamous NASCAR problem could possibly be helped by discovery
> * The infamous phishing problem could also possibly be helped by
> discovery
> * LRDD, host-meta, and webfinger are pretty interesting -- we
> should see how OpenID can leverage these new specs
>
>
> I'm sure that there are more issues with OpenID 2.0 discovery. Anyone
> else want to take a stab at it?
>
> Allen
>
>
> On 5/21/10 7:55 PM, "Johannes Ernst" <jernst+openid.net at netmesh.us> wrote:
>
> On May 21, 2010, at 19:28, Allen Tom wrote:
>
> ... there's universal consensus that the existing OpenID 2.0
> discovery mechanism is very deficient ...
>
>
> Is there a summary somewhere of this "universal consensus" of
> deficiencies?
>
> Thanks,
>
>
> Johannes Ernst
> NetMesh Inc.
>
>
>
>
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
--
Nat Sakimura (n-sakimura at nri.co.jp)
Nomura Research Institute, Ltd.
Tel:+81-3-6274-1412 Fax:+81-3-6274-1547
????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
PLEASE READ:
The information contained in this e-mail is confidential and intended for the named recipient(s) only.
If you are not an intended recipient of this e-mail, you are hereby notified that any review, dissemination, distribution or duplication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete your copy from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100524/0058ac72/attachment.html>
More information about the specs
mailing list