[OpenID] Backwards Compatibility

Andrew Arnott andrewarnott at gmail.com
Mon Mar 16 17:37:05 UTC 2009 

What does "clearly deprecated" mean?  I hope not that an implementation is
forbidden to implement 1.1 support.  For instance, DotNetOpenAuth offers
interop with both 1.1 and 2.0 remotes, and ensure that it is just as secure
either way by going to extra steps when dealing with the 1.1 remotes, less
possibly the RP discovery step, which isn't even required by any 2.0 OP that
I know of.  It seems that deliberately cutting off interop support with 1.1
would be a step backwards.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - Voltaire


On Mon, Mar 16, 2009 at 10:23 AM, David Recordon <david at sixapart.com> wrote:

> Hey Carsten,
> I agree with you.  It's time to make sure that 1.1 is clearly deprecated
> and that everyone implements 2.1 once it is completed.
>
> --David
>
>
> On Mar 10, 2009, at 1:28 PM, Carsten Pötter wrote:
>
>  Allen Tom mentioned the wiki page of the OpenID 2.1 spec
>> (http://wiki.openid.net/OpenID_Authentication_2_1) today. While I am
>> not a developer I was curious and had a look at it. ;) Besides
>> correcting errata "maintaining backwards compatibility with OpenID
>> Authentication 2.0 to the greatest degree possible" is an aim of the
>> spec as well. I think that's a good intention, though I'd like the
>> next spec to be clear that both RP's and OP's have to support OpenID
>> 2.0 as well.
>>
>> Compatibility to OpenID 1.1 was not required by the OpenID 2.0 spec:
>> "OpenID Authentication 2.0 implementations SHOULD support OpenID
>> Authentication 1.1 compatibility, unless security considerations make
>> it undesirable"
>> (http://openid.net/specs/openid-authentication-2_0.html#compat_mode).
>> So currently, there are two specs out there, which is confusing to a
>> lot of users. They try to log in to a RP with their Yahoo! account but
>> can't because the RP is only supporting OpenID 1.1. People give in,
>> write angry blog posts about OpenID being complicated, being just for
>> geeks,... I guess, you all know those stories.
>>
>> When it was clear that Yahoo! (and later Google as well) was only
>> supporting OpenID 2.0, I thought OpenID 1.1 implementations were
>> quickly updated. But it seems, they're not. So it was a really bad
>> idea, if there was a third spec around which didn't require
>> compatibility to OpenID 2.0. I am aware that, e.g. Yahoo! wasn't
>> supporting OpenID yet, if it had to comply with OpenID 1.1 as well (if
>> I remember correctly, of course). So maybe the wording in the OpenID
>> 2.0 spec was a compromise. I don't know, but it shouldn't happen
>> again, I think.
>>
>> I hope, this post makes sense. Also maybe this is better suited for
>> the specs list, but I'm not sure.
>>
>> Carsten
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090316/e91fe98d/attachment-0002.htm>

More information about the general mailing list