This email (and the linked wiki page) come out of a meeting a few months ago where a small group of folks tried to look at the early draft on <a href="http://openidconnect.com/">http://openidconnect.com/</a> and reconcile it with current implementations (outside of OpenID) as well as near term needs moving forward. I'd really recommend taking a look at the wiki page (<a href="http://wiki.openid.net/Future-OpenID-Technical-Requirements">http://wiki.openid.net/Future-OpenID-Technical-Requirements</a>) as the list captures most of the gaps and questions which have been identified.<div>
<br></div><div>There really seem to be two big unknowns that jump out at me:</div><div>1) Discovery. While the early proposal included one possibility we had hoped to see progress on an OAuth 2.0 discovery and unregistered clients spec. WebFinger also seems to be a bit up in the air.</div>
<div>2) Upgrade path from OpenID 2.0. It's patently clear that there must be a seamless upgrade path for people who have been signing into a site using OpenID 2.0 once their server starts to support OpenID Connect. While this is quite achievable, no real technical effort has been put into figuring out the details yet.</div>
<div><br></div><div>What else jumps out at you as major areas of work?</div><div><br></div><div>Thanks,</div><div>--David</div><div><br><br><div class="gmail_quote">---------- Forwarded message ----------<br>From: <b class="gmail_sendername">Allen Tom</b> <span dir="ltr"><<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>></span><br>
Date: Mon, Jun 21, 2010 at 6:58 PM<br>Subject: Requirements discussion of OpenID Future<br>To: OpenID Specs Mailing List <<a href="mailto:specs@openid.net">specs@openid.net</a>><br><br><br>Hi All,<br>
<br>
Therešs been a lot of discussion the past few weeks around specific<br>
technical proposals focused on moving OpenID forward. We wanted to take a<br>
step back and make sure that we understand the problems that there are broad<br>
consensus around solving over the next six to nine months. While there has<br>
also been some discussion around use cases and charters, there hasnšt yet<br>
been broad consensus.<br>
<br>
Today Yahoo!, Google, and Facebook met with some of the authors of Artifact<br>
Binding, the OpenID Connect proposal, and OAuth 2.0 to discuss our specific<br>
future requirements. We put together a summary document of 20+ items that<br>
we would like to see and wanted to start a discussion around them. Today<br>
helped to verify our instinct that we could achieve these OpenID goals by<br>
layering features on top of OAuth 2.0 while specifically maintaining the<br>
decentralized nature of OpenID.<br>
<br>
After this discussion it seems that the Connect work group charter can<br>
encompass this work and thus provides a mailing list and IPR policy to work<br>
on these items. Facebook, Google, and Yahoo! expect to be able to sign the<br>
contributor agreements for the OpenID Connect working group relatively soon.<br>
<br>
We hope that other OpenID community members and organizations will provide<br>
feedback on how this list compares to their needs and/or get involved in<br>
flushing out the technical details.<br>
<br>
Here's the list of features that we would like to see implemented in a<br>
future version of OpenID:<br>
<br>
<a href="http://wiki.openid.net/Future-OpenID-Technical-Requirements" target="_blank">http://wiki.openid.net/Future-OpenID-Technical-Requirements</a><br>
<br>
Feedback and discussion is more than welcome!<br>
<br>
Allen<br>
<br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
</div><br></div>