PROPOSAL: OpenID Form Clarification (A.4)

Recordon, David drecordon at verisign.com
Thu Oct 19 21:47:57 UTC 2006


Yes, section 8.1 is legacy from OpenID Auth 1.x as no best practices
document existed at the time, nor does one exist today separate from the
spec.  If one did exist, I'd imagine that sections 8.1 and A.4 would
reference it saying Relying Parties SHOULD follow it.

Looking at ftp://ftp.isi.edu/in-notes/rfc2119.txt:
> 3. SHOULD   This word, or the adjective "RECOMMENDED", mean that there
>   may exist valid reasons in particular circumstances to ignore a
>   particular item, but the full implications must be understood and
>   carefully weighed before choosing a different course.

To me, that is the correct level of force for all of section 8.1 and
A.4.

The RFC goes on to say:
> 6. Guidance in the use of these Imperatives
>
>   Imperatives of the type defined in this memo must be used with care
>   and sparingly.  In particular, they MUST only be used where it is
>   actually required for interoperation or to limit behavior which has
>   potential for causing harm (e.g., limiting retransmisssions)  For
>   example, they must not be used to try to impose a particular method
>   on implementors where the method is not required for

In no case does the non-existence of anything described in 8.1 or A.4
cause the protocol, as described by the specification, to no longer
interoperate, between End Users, Relying Parties, and Identity
Providers, nor does it limit behavior as described by the specification.
This would certainly be different if this was an OpenID Rich Client
specification.  I'm certainly not saying it should actively try to limit
development atop it, but we must be pragmatic or we'll end up shooting
ourselves in the foot.

Combining this with the fact that there is no viable way to enforce
sections 8.1 or A.4 being MUSTs, I do not believe that they should be
changed from SHOULDs.  The only conceivable way I could see of enforcing
something like this is telling a Relying Party that they cannot use
OpenID Authentication if they don't follow these non-essential markup
requirements; that is not something I am willing to do.

--David

-----Original Message-----
From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On
Behalf Of Jonathan Daugherty
Sent: Thursday, October 19, 2006 5:37 PM
To: Pete Rowley
Cc: specs at openid.net
Subject: Re: PROPOSAL: OpenID Form Clarification (A.4)

# A procedural point: If it is out of scope why is 8.1, and in #
particular that line, in the spec? I submit that it evidently _is_ # in
scope since it is there.

I think it's there for convenience because no practices document existed
when that was inserted.  I think Josh was considering removing it
anyway, though.

--
  Jonathan Daugherty
  JanRain, Inc.
_______________________________________________
specs mailing list
specs at openid.net
http://openid.net/mailman/listinfo/specs




More information about the specs mailing list