[OpenID] Backwards Compatibility

John Bradley john.bradley at wingaa.com
Wed Mar 18 01:59:48 UTC 2009 

Peter,

I have to agree that all OPs are of consequence. (perhaps some  
slightly more than others)

That is why keeping DH key exchange for non SSL OP is worthwhile.

On the other hand I can understand if some OPs and RPs choose to make  
decisions to limit interoperability for there own use cases.

I think Yahoo is entirely within there rights to say that if RPs cant  
do SSL they will not provide assertions to them.

OpenID has no conformance test,  unlike some other protocols.   That  
is both good and bad.  While having such tests may be useful in some  
environments, it would be unfortunate if smaller players or  
individuals are excluded from acting as there own OPs.

I think people should be allowed to provide there own service and take  
there own risks if they are informed.
However there is never guarantee that any ID will be accepted at every  
RP.

For you and Shade I have added an OSIS test for RPs accepting CA Cert  
certificates.

This is a bit of an odd test, in that I honestly don't know if  
accepting the cert is pass or fail.
I think what to do should be left up to the RPs policy.

In any event there is now a test that people can run to check what a  
RP is accepting.
https://test-id.org/RP/CACert.aspx

Regards
John Bradley

On 17-Mar-09, at 3:01 PM, general-request at openid.net wrote:

> Date: Tue, 17 Mar 2009 15:01:20 -0700
> From: Peter Williams <pwilliams at rapattoni.com>
> Subject: Re: [OpenID] Backwards Compatibility
> To: Andrew Arnott <andrewarnott at gmail.com>, Allen Tom
> 	<atom at yahoo-inc.com>
> Cc: "general at openid.net" <general at openid.net>
> Message-ID:
> 	<BFBC0F17A99938458360C863B716FE46398DCA858A at simmbox01.rapnt.com>
> Content-Type: text/plain; charset="us-ascii"
>
> Hmm. Now I object.
>
> That presupposes (yet again) that only well known OPs are of any  
> consequence.
>
> What SSL taught us is that what really matters is the a half billion  
> SSL domains that hardly anyone knows about (they are almost all wifi  
> routers, with a self-signed cert for https admin)
>
> All depends on what the mission of openid is. 10 giant megaOPs, or  
> the little guy (of which there  are a lot).
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090317/ba84a698/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2486 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090317/ba84a698/attachment-0002.bin>

More information about the general mailing list