[OpenID] Backwards Compatibility

[SitG Admin]

>If anything, I'd like to see things removed from 2.0, such as the DH 
>key exchange.

+1; but my thought is more that network-based key exchange should be 
optional; if I want to make sure that the OP responding to my 
browser's request is hosted at the servers my bank has, why should I 
need PKI when I can call them up (or visit in person), take home 
their key, and trust *that*? Mutual authentication using the U.S. 
Postal Service as a trusted 3rd party (routing mail correctly, not 
substituting or altering letters) is just one alternative; that there 
*are* many, and this is just an example of what may suit some people, 
brings to mind XRI more than anything else.

And, of course, it goes for OP/RP relationships just as well as for 
end-users. We may trust that the phone companies are not intercepting 
calls and using voice imitation technology to pose as the people we 
know, when we call-back to confirm the desire to change their current 
keys; but with that level of communication *available*, do we really 
*need* to leave an entire avenue of exploition around for network 
renegotiation of keys, or can we just keep them hardcoded and change 
the values directly as authorized?

-Shade