What does "clearly deprecated" mean? I hope not that an implementation is forbidden to implement 1.1 support. For instance, DotNetOpenAuth offers interop with both 1.1 and 2.0 remotes, and ensure that it is just as secure either way by going to extra steps when dealing with the 1.1 remotes, less possibly the RP discovery step, which isn't even required by any 2.0 OP that I know of. It seems that deliberately cutting off interop support with 1.1 would be a step backwards.<div>
<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">On Mon, Mar 16, 2009 at 10:23 AM, David Recordon <span dir="ltr"><<a href="mailto:david@sixapart.com">david@sixapart.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
Hey Carsten,<br>
I agree with you. It's time to make sure that 1.1 is clearly deprecated and that everyone implements 2.1 once it is completed.<br><font color="#888888">
<br>
--David</font><div><div></div><div class="h5"><br>
<br>
On Mar 10, 2009, at 1:28 PM, Carsten Pötter wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Allen Tom mentioned the wiki page of the OpenID 2.1 spec<br>
(<a href="http://wiki.openid.net/OpenID_Authentication_2_1" target="_blank">http://wiki.openid.net/OpenID_Authentication_2_1</a>) today. While I am<br>
not a developer I was curious and had a look at it. ;) Besides<br>
correcting errata "maintaining backwards compatibility with OpenID<br>
Authentication 2.0 to the greatest degree possible" is an aim of the<br>
spec as well. I think that's a good intention, though I'd like the<br>
next spec to be clear that both RP's and OP's have to support OpenID<br>
2.0 as well.<br>
<br>
Compatibility to OpenID 1.1 was not required by the OpenID 2.0 spec:<br>
"OpenID Authentication 2.0 implementations SHOULD support OpenID<br>
Authentication 1.1 compatibility, unless security considerations make<br>
it undesirable"<br>
(<a href="http://openid.net/specs/openid-authentication-2_0.html#compat_mode" target="_blank">http://openid.net/specs/openid-authentication-2_0.html#compat_mode</a>).<br>
So currently, there are two specs out there, which is confusing to a<br>
lot of users. They try to log in to a RP with their Yahoo! account but<br>
can't because the RP is only supporting OpenID 1.1. People give in,<br>
write angry blog posts about OpenID being complicated, being just for<br>
geeks,... I guess, you all know those stories.<br>
<br>
When it was clear that Yahoo! (and later Google as well) was only<br>
supporting OpenID 2.0, I thought OpenID 1.1 implementations were<br>
quickly updated. But it seems, they're not. So it was a really bad<br>
idea, if there was a third spec around which didn't require<br>
compatibility to OpenID 2.0. I am aware that, e.g. Yahoo! wasn't<br>
supporting OpenID yet, if it had to comply with OpenID 1.1 as well (if<br>
I remember correctly, of course). So maybe the wording in the OpenID<br>
2.0 spec was a compromise. I don't know, but it shouldn't happen<br>
again, I think.<br>
<br>
I hope, this post makes sense. Also maybe this is better suited for<br>
the specs list, but I'm not sure.<br>
<br>
Carsten<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</blockquote>
<br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br></div>