<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Peter,<div><br></div><div>I have to agree that all OPs are of consequence. (perhaps some slightly more than others)</div><div><br></div><div>That is why keeping DH key exchange for non SSL OP is worthwhile.</div><div><br></div><div>On the other hand I can understand if some OPs and RPs choose to make decisions to limit interoperability for there own use cases.</div><div><br></div><div>I think Yahoo is entirely within there rights to say that if RPs cant do SSL they will not provide assertions to them.</div><div><br></div><div>OpenID has no conformance test, unlike some other protocols. That is both good and bad. While having such tests may be useful in some environments, it would be unfortunate if smaller players or individuals are excluded from acting as there own OPs.</div><div><br></div><div>I think people should be allowed to provide there own service and take there own risks if they are informed. </div><div>However there is never guarantee that any ID will be accepted at every RP.</div><div><br></div><div>For you and Shade I have added an OSIS test for RPs accepting CA Cert certificates.</div><div><br></div><div>This is a bit of an odd test, in that I honestly don't know if accepting the cert is pass or fail.</div><div>I think what to do should be left up to the RPs policy. </div><div><br></div><div>In any event there is now a test that people can run to check what a RP is accepting.</div><div><a href="https://test-id.org/RP/CACert.aspx">https://test-id.org/RP/CACert.aspx</a></div><div><br></div><div>Regards</div><div>John Bradley</div><div><br></div><div><div><div>On 17-Mar-09, at 3:01 PM, <a href="mailto:general-request@openid.net">general-request@openid.net</a> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: -webkit-monospace; font-size: 10px; ">Date: Tue, 17 Mar 2009 15:01:20 -0700<br>From: Peter Williams <<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>><br>Subject: Re: [OpenID] Backwards Compatibility<br>To: Andrew Arnott <<a href="mailto:andrewarnott@gmail.com">andrewarnott@gmail.com</a>>, Allen Tom<br><span class="Apple-tab-span" style="white-space: pre; "> </span><<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>><br>Cc: "<a href="mailto:general@openid.net">general@openid.net</a>" <<a href="mailto:general@openid.net">general@openid.net</a>><br>Message-ID:<br><span class="Apple-tab-span" style="white-space: pre; "> </span><<a href="mailto:BFBC0F17A99938458360C863B716FE46398DCA858A@simmbox01.rapnt.com">BFBC0F17A99938458360C863B716FE46398DCA858A@simmbox01.rapnt.com</a>><br>Content-Type: text/plain; charset="us-ascii"<br><br>Hmm. Now I object.<br><br>That presupposes (yet again) that only well known OPs are of any consequence.<br><br>What SSL taught us is that what really matters is the a half billion SSL domains that hardly anyone knows about (they are almost all wifi routers, with a self-signed cert for https admin)<br><br>All depends on what the mission of openid is. 10 giant megaOPs, or the little guy (of which there are a lot).<br><br></span></blockquote></div><br></div></body></html>