Thu Jan 11 23:01:28 UTC 2007
competing identity systems decided to merge. The con here is that perhaps
we have too much in the spec. The pro is that we have a unified approach
now -- everybody is on board with one single spec: OpenId 2.0.
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of rob
> Sent: Thursday, February 08, 2007 10:29 AM
> To: general at openid.net
> Subject: [OpenID] is openid 2.0 a lightweight identity system?
> I took a look at the Openid Authentication 2.0 spec for the first time
> recently. I thought it would be as simple as either the original openid
> spec or the DIX spec (hacked up my own DIX implementation in a day or
> two, loved it)
> However 2.0 now seems to be a merger of these two specs. with a sprinkle
> of "xri" just for good measure. What this has produced is not as
> intuitive as either of its predecessors and I wonder whether it can
> still coin the phrase "lightweight".
> If I am understanding this new spec correctly to implement support from
> scratch an rp needs to understand openid (currently 56 pages), yadis
> resolution (22 pages), xri resolution (currently 74 pages) and probably
> xri's themselves (33 pages). This no longer seems like a lightweight
> identity system to me (and there is no way I could now hack a complete
> system (op and rp) together in a few days).
> I understand the trade offs and compromises that need to be made during
> a specs development, but has it drifted away from what I thought was its
> initial mandate, namely to provide a lightweight, i.e. easy to implement
> from scratch, federated identity system (we already have SAML).
> Anyway, a couple questions for you all,
> Does openid really need two optional ways of verifying the signatures
> i.e. shared secret and direct request, can't we just pick one?
> Does openid really need to support xri identifiers in the core, can't
> this be separated? This would remove 107 pages of additional
> specification reading and reduce the size of the openid spec.
> I hope this e-mail isn't viewed as negative, I just hadn't looked at
> what had been happening recently and wanted to pass on my gut reaction
> to the new spec. I also see that a lot of this has been debated on the
> mailing list before so apologies for rehashing old ground.
> general mailing list
> general at openid.net
More information about the general