OpenID security
Martin Atkins
mart at degeneration.co.uk
Wed Oct 25 07:42:33 UTC 2006
Eddy Nigg (StartCom Ltd.) wrote:
>
> The possible options are some ten fields, which require answers from one
> or both sides. This might be OK for me (you and a few others) and
> provides flexibility, however I'm not sure, if it needs this flexibility
> at all...Why not define ONE secured mode, known by all parties and be
> done with it?
I agree with this. Maybe I've just been watching bad examples, but I've
never seen success for a spec that makes use of profiles. There should
only be ONE WAY it works, and it should be described in detail in the spec.
What I am opposed to is a big matrix of requirements that can be swapped
in and swapped out. As much as possible, we want the spec to be MUSTs.
We need a few SHOULDs and MAYs for practical reasons, but these should
be kept to an absolute minimum and the implications of each carefully
spelled out in the spec.
More information about the general
mailing list