[OpenID] Backwards Compatibility
Carsten Pötter
sccpffm at gmail.com
Tue Mar 10 18:28:50 UTC 2009
Allen Tom mentioned the wiki page of the OpenID 2.1 spec
(http://wiki.openid.net/OpenID_Authentication_2_1) today. While I am
not a developer I was curious and had a look at it. ;) Besides
correcting errata "maintaining backwards compatibility with OpenID
Authentication 2.0 to the greatest degree possible" is an aim of the
spec as well. I think that's a good intention, though I'd like the
next spec to be clear that both RP's and OP's have to support OpenID
2.0 as well.
Compatibility to OpenID 1.1 was not required by the OpenID 2.0 spec:
"OpenID Authentication 2.0 implementations SHOULD support OpenID
Authentication 1.1 compatibility, unless security considerations make
it undesirable"
(http://openid.net/specs/openid-authentication-2_0.html#compat_mode).
So currently, there are two specs out there, which is confusing to a
lot of users. They try to log in to a RP with their Yahoo! account but
can't because the RP is only supporting OpenID 1.1. People give in,
write angry blog posts about OpenID being complicated, being just for
geeks,... I guess, you all know those stories.
When it was clear that Yahoo! (and later Google as well) was only
supporting OpenID 2.0, I thought OpenID 1.1 implementations were
quickly updated. But it seems, they're not. So it was a really bad
idea, if there was a third spec around which didn't require
compatibility to OpenID 2.0. I am aware that, e.g. Yahoo! wasn't
supporting OpenID yet, if it had to comply with OpenID 1.1 as well (if
I remember correctly, of course). So maybe the wording in the OpenID
2.0 spec was a compromise. I don't know, but it shouldn't happen
again, I think.
I hope, this post makes sense. Also maybe this is better suited for
the specs list, but I'm not sure.
Carsten
More information about the general
mailing list