Specifying identifier recycling
Johnny Bufu
johnny at sxip.com
Sun Jun 3 05:11:47 UTC 2007
On 2-Jun-07, at 5:14 PM, Recordon, David wrote:
> I'd like to see this written as an
> extension so that if the first approach doesn't work, the Auth spec
> itself doesn't have to be "reverted. Rather we can finish 2.0 and try
> implementing different approaches before deciding on the final way to
> solve this problem.
I thought we had agreed at IIW (for good reason) to address this in
2.0. Other than the actual solution not being 100% clear, has
anything changed?
Arguments for not putting it into an extension:
- users of provider's X who employs 'identifier recycling extension'
would not be able to log into RP Y who doesn't understand the extension
- it's likely that whatever solution we come up with affects the
discovery / verification processes, in which case it couldn't be
pushed to an extension (we're trying to patch something about the
_identifier_ itself, which is the center of each openid transaction).
Also, I believe the fragment approach can actually work, as detailed
here:
http://openid.net/pipermail/specs/2007-May/001767.html
I haven't seen any replies to this, so would appreciate if others
would go through the proposed changes and see if they all makes sense
of I've overlooked something.
Thanks,
Johnny
More information about the specs
mailing list