Completing the SREG 1.1 specification

[Allen Tom]

Yahoo is currently testing SREG, and we'd like to see the 1.1 SREG draft 
updated to clarify any ambiguities before we're done testing. We'd also 
like to see the schema updated to include the user's profile pic.

We decided to build support for SREG before AX because SREG seems to be 
more widely used, and also because SREG allows the RP to pass the url to 
its privacy policy in the request. Strangely, AX does not have an 
interface for the RP to pass its privacy policy to the OP.  We have a 
mandatory requirement from our legal and privacy teams to be able to 
link to the RP's privacy policy on our OpenID approval page before 
sharing any user data with an RP.

We'd like SREG to be updated to enable the profile pic to be in the 
schema, and also any other cleanup that's needed for OpenID 2.0 OPs to 
support it.

Moving forward, we'd also like to support both SREG and AX, if AX is 
updated to allow the privacy policy url to be included in the request. 
Alternatively, OPs which support the OpenID/OAuth hybrid protocol can 
just tie the privacy policy to an OAuth consumer key, assuming that the 
OP requires pre-registered consumer keys.

I'd be happy to help contribute to SREG and AX specs if the owners of 
the spec would like me to.

Allen


David Recordon wrote:
> I certainly want to see us push the world to implementing AX instead  
> of SREG, though agree with Mart that there are existing  
> interoperability problems with SREG that would be nice to fix given  
> that large OPs are still implementing it in a broken fashion.  I'd see  
> no issue with including in the SREG spec that people really should go  
> use AX instead.
>
>
>   
>> On 28-Nov-08, at 11:28 PM, Martin Atkins wrote:
>>
>>     
>>>
>>> As long as folks still want to implement SREG, I think it's  
>>> beneficial
>>> to have a specification that actually works in practice, which the
>>> current draft does not.
>>>