[OpenID] D-H vs SSL
Allen Tom
atom at yahoo-inc.com
Thu Mar 19 01:08:38 UTC 2009
Martin Atkins wrote:
> However, I'm hesitant to support it without some research to show
> that existing RPs in the wild aren't doing DH over SSL, since such RPs
> would of course be broken by such a change.
>
Last time I checked, most RPs were doing DH over SSL to the Yahoo OP.
As you very correctly pointed out, we would not be able to turn DH off
without breaking existing RPs, but it would be nice if the OpenID spec
discouraged this behavior, so that we could eventually eliminate this
redundancy.
Also, based on our logs, it looks like some people were trying to learn
how to implement DH while building their OpenID support. This is really
not a good idea, and there's really no reason for RP developers to try
to figure out DH if they don't have to.
Personally, one of the most attractive traits of OpenID is its relative
simplicity compared to other protocols, and that it only implements
things that people really need. Instead of expanding the protocol on
every revision, perhaps OpenID could set an example by removing things
that aren't really used.
Allen
More information about the general
mailing list