Backwards compatibility

Brad Fitzpatrick brad at danga.com
Tue Sep 26 00:31:02 UTC 2006


On Mon, 25 Sep 2006, Dick Hardt wrote:

> If this is the case (David Fuelling's summary) then backwards
> compatibility of the spec is not needed. If backwards compatibility
> is required, then the 2.0 spec can just say that 1.1 must also be
> supported.
>
> Although the spec may require systems to be backwards compatible, I
> would argue that should be a choice of the site and not forced. An RP
> may be concerned about supporting aspects of 1.1 due to replay
> attacks etc.,

And IdP can be resistant to replay attacks without 2.0.  The Perl
libraries for 1.x already do nonces.

Likewise, I haven't looked into it thoroughly, but I imagine people can do
bad nonces with 2.0.

> I would predict though that most sites will support both 1.1 and 2.0

One would hope.

I'm not sure I'd predict that, though.

If there's two specs that differ so much that all they share is a name, I
predict you'd only support enough to make it work with the major site or
sites you care about.

Which is why I'd like to keep LiveJournal at 1.x for the time being...
because hopefully people care enough about LiveJournal's mass that they'll
consider 1.x important.  And/or the 2.x designers recognize that big sites
(at least LiveJournal) will remain 1.x, so they'll do everything possible
to make sure 2.x isn't different just to be different, but has really good
reasons, and stays 1.x-interoperable with minimal pain to those having to
implement it.

- Brad




More information about the specs mailing list