[security] security
Martin Atkins
mart at degeneration.co.uk
Sat Oct 28 15:00:42 UTC 2006
Chris Drake wrote:
> Hi Martin,
>
> MA> I prefer
> MA> the design principle of having lots of simple, focused components that
> MA> solve only one problem.
>
> Please show us your list of problems that you believe OpenID solves,
> and the components that make up the solutions.
>
The spec that we are calling "OpenID Authentication" provides a protocol
for an RP to ask an IdP whether some user controls a given URI.
It specifies the use of another protocol — Yadis — as a mechanism to
discover a list of IdPs that will answer for a given URI.
Anything else is outside of the scope of OpenID Authentication.
You will probably note that OpenID 2.0 has grown this scope a small
amount with the concept of directed identity, which provides a mechanism
for an RP to ask an IdP to respond with a URL that somehow represents a
user. [1]
Notice that I'm distinguishing between "OpenID Authentication", which is
the spec we're currently working on, and "OpenID" itself, which I hope
will will slowly grow into a suite of inter-operable technologies
related to decentralized identity.
There are a few other specs currently being considered which are related
to, but are not part of, OpenID Authentication:
* "Simple Registration", for automating the provision of simple
user profile information to RPs.
* "Attribute Exchange", which I'm not really following and don't know
much about.
...and obviously, there's a lot of debate about how RPs should determine
whether to trust particular IdPs and identifiers, but as far as I'm
aware no-one is working on any concrete proposals related to this right
now. I imagine this will become an area of focus for lots of people once
OpenID Authentication 2.0 is finished.
-------
[1] I personally would have preferred directed identity as a separate
spec, but there we go. You can't win 'em all. :)
More information about the security
mailing list