[OpenID] AX implementations

Shane B Weeden sweeden at au1.ibm.com
Mon Sep 28 23:44:06 UTC 2009 

> This is a pretty good idea, and should satisfy most uses cases. The only
problem is standardizing on the attribute names.

Which is no harder than AX. In closed systems it's a no-brainer, and I want
ppl to be able to use standardized libraries in both closed and open
systems. If someone codes a standard library strictly to the spec, and I
want to offer extended SREG, then it won't work. I've already seen at least
one implementation do this. And for what benefit?!






                                                                           
             Allen Tom                                                     
             <atom at yahoo-inc.c                                             
             om>                                                        To 
                                       Shane B Weeden/Australia/IBM at IBMAU, 
             29/09/2009 03:52          openid-general at lists.openid.net     
                                                                        cc 
                                                                           
                                                                   Subject 
                                       Re: [OpenID] AX implementations     
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Shane B Weeden wrote:
>
> Mostly agree, although implementations may just switch to POST per the
spec
> when messages get long, and this seems to work ok for me.
Returning responses via POST doesn't work as well as GET in many cases.
The biggest issue is that many browsers (IE/Firefox) will display a very
ugly security warning if the RP's return_to URL does not support HTTPS.
This warning is displayed if the OP's returns the response using a
self-submitting form that's served over HTTPS. Many browsers display a
security warning when a form that's served using HTTPS is submitted to
HTTP.

Other problems with using POST is that JS has to be enabled, and an
intermediate "blank white page" is usually returned to submit the form.


>  What I wanted to
> see (and previously posted about with little support) was this change to
> the SREG 1.1 draft spec to allow SREG to be extensible. In section 4
> change:
>
> A single field MUST NOT be repeated in the response, and all included
> fields MUST be taken from the set of fields defined in this
specification.
> to:
> A single field MUST NOT be repeated in the response.
>
> Then SREG is "legally" extensible and lighter weight and easier to use.
ect
>                                        Re: [OpenID] AX implementations

>

>
This is a pretty good idea, and should satisfy most uses cases. The only
problem is standardizing on the attribute names.

Allen

More information about the general mailing list