[OpenID] On OpenID 2.0

[Dick Hardt]

On 30-Apr-07, at 11:07 AM, Martin Atkins wrote:

> Granqvist, Hans wrote:
>>
>> * With 2.0 RP implementations almost non-existent in the
>>   field after more than ten months of spec work -- is there
>>   even a need for 2.0?
>>
>> * If you have a RP: why are you waiting with implementing
>>   2.0?  Is 1.1 good enough?  Are you waiting for the spec
>>   to be final?  Do security concerns hold you back?
>>
>
> This is an interesting point of discussion, actually.
>
> What does 1.1 not do that we really wish it did? Is there anything we
> can cut out of 2.0? Is there some way we can adjust 2.0 so that all  
> 1.1
> implementations are valid 2.0 implementations, while still  
> retaining the
> "must haves"?
>
> To be honest, it's been so long since I thought about the 2.0 spec  
> that
> I've forgotten what the full list of new stuff is. Off the top of my
> head I can think of:
>   * Directed identity aka "put in the URL of your IdP, not of you."
>   * A formalized extension mechanism

One of the major features of 2.0 was the extension mechanism so that  
we could add other features to OpenID without having to change the  
core specification.

SREG was really useful and many sites use it, but it is limited.  
Attribute Exchange requires OpenID 2.0, and may be the driver for RPs  
to upgrade to 2.0 once the AX spec is done and OPs upgrade.

The phishing resistant profile proposals that have been floated  
around would require OpenID 2.0 as well.

The lack of RP deployment is likely because of a lack of OP  
deployment. Inherently, OPs will lead deployment over RPs since there  
is little value in an RP implementing something until a *reasonable*  
number of users have it available.

-- Dick