[OpenID] On OpenID 2.0

Chris Messina chris.messina at gmail.com
Mon Apr 30 18:29:56 UTC 2007 

Indeed the webwide momentum seems to be around 1.1 which does the
basics of what is needed, and little more.

Adoption so far has rested, I believe, on this simplicity and
straightforwardness. Most folks with whom I've spoken about OpenID
take a look at the 1.1 spec and are eager to implement it. Those whom
I've asked about 2.0 run away, arms flailing.

If the goal is to get to a protocol for uniform authentication, we are
essentially there -- and as the 2.0 spec languishes, the number of 1.1
implementations continue to grow and calcify. To take a sharp turn now
towards 2.0 could aversely affect the momentum we've built up if it
encumbers those early implementors.

Which is to say: now that we have a number of adoptions in the wild
and a lot of positive support with the basic 1.1 spec, shouldn't we
look at the existing implementations as a validation of the original
spec and simultaneously a place to draw wider insight as to what, if
any, changes are needed for a 1.2 release? My concern is that a lot of
smart folks have worked on 2.0 for some time without the benefit of
widespread adoption to learn from. Now that we do have a great deal of
material to consider, shouldn't we spend some time better
understanding the current OpenID landscape and then embark on a
quarterly dot-release schedule?

Just thinking out loud.

Chris


On 4/30/07, Martin Atkins <mart at degeneration.co.uk> wrote:
> Granqvist, Hans wrote:
> >
> > * With 2.0 RP implementations almost non-existent in the
> >   field after more than ten months of spec work -- is there
> >   even a need for 2.0?
> >
> > * If you have a RP: why are you waiting with implementing
> >   2.0?  Is 1.1 good enough?  Are you waiting for the spec
> >   to be final?  Do security concerns hold you back?
> >
>
> This is an interesting point of discussion, actually.
>
> What does 1.1 not do that we really wish it did? Is there anything we
> can cut out of 2.0? Is there some way we can adjust 2.0 so that all 1.1
> implementations are valid 2.0 implementations, while still retaining the
> "must haves"?
>
> To be honest, it's been so long since I thought about the 2.0 spec that
> I've forgotten what the full list of new stuff is. Off the top of my
> head I can think of:
>   * Directed identity aka "put in the URL of your IdP, not of you."
>   * A formalized extension mechanism
>
> We also have Yadis discovery and XRI, but both have successfully been
> backported to 1.1.
>
> Is there anything I've forgotten? Can we just backport those two things
> to 1.1 and call it 1.2?
>
> I'm not suggesting we throw away the 2.0 spec, but more that we consider
> whether it's possible to edit it so that it's less of a drastic jump?
>
> On the other hand, if everyone's happy with 2.0 as-is then we might as
> well just go ahead and publish it as final. No-one really seems that
> enthusiastic about it, though.
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>


-- 
Chris Messina
Citizen Provocateur &
  Open Source Ambassador-at-Large
Work: http://citizenagency.com
Blog: http://factoryjoe.com/blog
Cell: 412 225-1051
Skype: factoryjoe
This email is:   [ ] bloggable    [X] ask first   [ ] private

More information about the general mailing list