Completing the SREG 1.1 specification
Allen Tom
atom at yahoo-inc.com
Tue Dec 2 23:41:50 UTC 2008
Yahoo is currently testing SREG, and we'd like to see the 1.1 SREG draft
updated to clarify any ambiguities before we're done testing. We'd also
like to see the schema updated to include the user's profile pic.
We decided to build support for SREG before AX because SREG seems to be
more widely used, and also because SREG allows the RP to pass the url to
its privacy policy in the request. Strangely, AX does not have an
interface for the RP to pass its privacy policy to the OP. We have a
mandatory requirement from our legal and privacy teams to be able to
link to the RP's privacy policy on our OpenID approval page before
sharing any user data with an RP.
We'd like SREG to be updated to enable the profile pic to be in the
schema, and also any other cleanup that's needed for OpenID 2.0 OPs to
support it.
Moving forward, we'd also like to support both SREG and AX, if AX is
updated to allow the privacy policy url to be included in the request.
Alternatively, OPs which support the OpenID/OAuth hybrid protocol can
just tie the privacy policy to an OAuth consumer key, assuming that the
OP requires pre-registered consumer keys.
I'd be happy to help contribute to SREG and AX specs if the owners of
the spec would like me to.
Allen
David Recordon wrote:
> I certainly want to see us push the world to implementing AX instead
> of SREG, though agree with Mart that there are existing
> interoperability problems with SREG that would be nice to fix given
> that large OPs are still implementing it in a broken fashion. I'd see
> no issue with including in the SREG spec that people really should go
> use AX instead.
>
>
>
>> On 28-Nov-08, at 11:28 PM, Martin Atkins wrote:
>>
>>
>>>
>>> As long as folks still want to implement SREG, I think it's
>>> beneficial
>>> to have a specification that actually works in practice, which the
>>> current draft does not.
>>>
More information about the specs
mailing list