RFC: Final outstanding issues with the OpenID 2.0 Authentication specification

Sam Alexander sam.alexander at vidoop.com
Thu May 17 19:17:53 UTC 2007 

> . . .
>  1. Identifier recycling. There are two different use cases for
>     identifier recycling. The first, and the one that most people who
>     I have talked to really want to solve is that of a large provider
>     that wants to allow re-use of parts of its namespace. The second
>     is if a user wants to relinquish control of an identifier without
>     relinquishing control of the places that they have used this
>     identifier. A concrete example of this is if I ever choose to stop
>     paying for j3h.us.

I wouldn't consider this a problem with the OpenID 2.0 spec.  Its a  
more general problem with namespaces everywhere.

This problem has already existed in the realm of e-mail for years  
(which I think is a great precedent for the problems we will (and do)  
face with OpenID).  OpenID does an even better job of mitigating it  
because of built-in delegation.  I think this should be left up to  
the OP to iron out (at least for now), and shouldn't be considered a  
block for finalizing the OpenID 2.0.

>  2. Realm spoofing. This encompasses the attacks that Allen Tom has
>     described (using redirectors, proxies or XSS attacks) that create
>     new phishing opportunities and make certain types of phishing even
>     worse.

There are solutions popping up like Verisign's plugin and our  
myVidoop implementation that are taking shots at how to battle  
phishing.  Again, I don't think we should rest the responsibility of  
fixing these issues on the 2.0 spec's shoulders. In fact, I think we  
may be holding up development of the solutions to these problems by - 
not- finalizing.

>
> If these four issues are resolved, can we call the OpenID 2.0
> Authentication specification done? Speak up if you have any other
> show-stoppers.

IMO, its becoming increasingly important that the spec is finalized  
and saved from becoming vaporspec(?), even if it requires shelving  
issues until OpenID 2.1 or 2.5 (or God forbid, 3.0).  RERO and what-not.

Its more important to finalize the spec, release production-level  
code libraries and let people start developing against the new  
features.  OpenID needs to start seeing 2.0 live -- in the wild -- soon.

As it is, I know alot of people (vidoop included) are waiting for  
this finalization before we officially implement the spec.

-Sam

More information about the specs mailing list