Proposing an OpenID Authentication 2.1 Working Group

[Martin Atkins]

Here's the output from today's IIW session on this:


2.0 has been finalized
bunch of implementations
found lots of spec bugs

also gone and done oauth and email addresses and other things. Can we 
support these in the core spec?

- Making the spec more readable and fixing bugs (eratta)
   - Delegation
   - Error handling
- Adding a security appendix
   - could be a separate document referred to by the spec
   - possibly produced by separate group
   - Who controls this security page?
     - Security committee could look after this.
     - or Allen at Yahoo! will be editing a security document
- Clarifying XRI
   - Currently there's no firm message about whether RPs MUST support 
XRIs or not.
   - Need to clarify how exactly XRI should be used with OpenID.
   - Similar to the whitelist question.
- Clarify if RPs can white or blacklist what OPs they accept, and 
vice-versa.
   - Discovery of type of identifiers an RP supports.
- Clarifying IRI
- Updating discovery. Possibly including the new-fangled XRD discovery.
- Clarifying whether association over SSL must/can use diffie-hellman.
- Discovery of support of checkid_immediate.

Exploratory work:
- Signature mechanisms. Looking at additionally supporting the 
mechanisms defined in OAuth so that they can be closer together.
   - Possibly deprecating the current signature mechanism.
   - Public keys?
- Email-shaped identifiers for OpenID
   - Could be a separate working group?

There was consensus that email-shaped identifiers would be worked on by 
a separate group and possibly rolled into 2.1 if it's done in time.

- Smart/rich clients?
   - Could be in this WG unless it ends up being a big change in which 
case it could be its own WG.
   - There's another session about this.