Summarizing Where We're At

Josh Hoyt josh at janrain.com
Tue Oct 17 17:30:19 UTC 2006


On 10/17/06, Dick Hardt <dick at sxip.com> wrote:
> Josh, would you elaborate on the reasoning behind your votes so that
> I (and others) understand?

Sure. I'll try to be brief.

> > On 10/15/06, Recordon, David <drecordon at verisign.com> wrote:
> >> * Request Nonce and Name
> >>  - Has been partially implemented, openid.nonce ->
> >> openid.response_nonce, no agreement on the need of a request nonce
> >> specifically, rather discussion has evolved into allowing a RP to
> >> pass
> >> "appdata" like in Yahoo's BBAuth.  No formal proposal on the table
> >> yet,
> >> thus will not be included in this version.
> >
> > Take no action

response_nonce is already in the spec [1]

There is no other proposal to vote on, so no vote, no action



> >> * Authentication Age
> >>  - Re-proposed today adding clarity in motivation, general
> >> consensus is
> >> needed to add to specification.
> >
> > -1

There is no reason for this to be in the core. I could make more
arguments about it, but I'll stop there, unless there is consensus
that it should go in the core.



> >> * Remove setup_url
> >>  - Little discussion and no general consensus to do so.  Rather seems
> >> asking for feedback from checkid_immediate implementers on the
> >> parameter
> >> would be beneficial at this time.
> >
> > +1

setup_url made the API for our libraries more complex. The relying
party does not need it to know how to proceed when immediate mode
fails.



> >> * Consolidated Delegation Proposal
> >>  - Very active discussion, the only proposal I'm willing to stall the
> >> spec for.  Seems very important a strong conceptual model is
> >> created at
> >> this time.

See the other 1000 messages about this topic.

> > -0 on status quo (draft 10)

The status quo works, but has some warts [2]

> > +0 on single-identifier

also has some warts (required IdP discovery, dependency on IdP support
for portable identifiers), but is less confusing than the status quo

> > +1 on two-identifier

two-identifier is explicit about what's going on without imposing any
policy on the IdP. Easy to understand and specify. Minimal change from
the current working system.



> >> * Change Default session_type
> >>  - Proposed, no discussion yet.
> >
> > Will address in separate message

Mike Glover beat me to it [3]. I'd rather just make the session type a
required parameter (no default)



> >> * Bare Request
> >>  - Proposed, no discussion yet.
> >
> > -0 (YAGNI)

You Ain't Gonna Need It [4]



Josh

1. http://openid.net/svn/listing.php?repname=specifications&path=%2F&rev=38&sc=1
2. http://openid.net/pipermail/specs/2006-October/000357.html
3. http://openid.net/pipermail/specs/2006-October/000481.html
4. http://www.google.com/search?q=yagni&btnI=1



More information about the specs mailing list