[OpenID] D-H vs SSL
Martin Atkins
mart at degeneration.co.uk
Thu Mar 19 04:10:45 UTC 2009
Allen Tom wrote:
>
> Personally, one of the most attractive traits of OpenID is its relative
> simplicity compared to other protocols, and that it only implements
> things that people really need. Instead of expanding the protocol on
> every revision, perhaps OpenID could set an example by removing things
> that aren't really used.
>
I've no objection to that on principle. My position is that we should
use research to find out what's "not really used", rather than guessing.
Clearly, from your limited research, DH over SSL is not something we can
completely remove in the next revision despite it being redundant.
However, I agree that it should be discouraged.
The approach used for HTML5 is to have basically a separate spec for
authors than for browser implementers. The author spec describes what's
allowed, and the implementors spec defines how to deal with the stuff
that's not allowed.
While there's a bunch of things that are sub-optimal about the HTML5
spec process in my opinion, this is a model I do agree with to a certain
extent: clearly separating the requirements for OPs from the reqirements
for RPs, so that RPs can be told that they MUST NOT use DH over SSL
while OPs can be told that they SHOULD implement it to support existing
implementations.
More information about the general
mailing list