[OIDFSC] OpenID v.Next Discovery Working Group Proposal

Johannes Ernst jernst+openid.net at netmesh.us
Mon May 24 02:50:01 UTC 2010 

Allen, combining what you just wrote with what Brian said on the board mailing list about MRDs -- perhaps it would make sense to set up a "bug tracking system" of some kind and use that to drive spec evolution?

On May 23, 2010, at 18:56, Allen Tom wrote:

> Hi Johannes,
> 
> There isn’t a document summarizing the deficiencies with OpenID 2.0 discovery – I think it would be very useful for the WG and for the Community if we wrote this down
> 
> Off the top of my head, some of the problems are:
> 
> Yadis discovery is very vague as to exactly how the RP is supposed to fetch the OP’s discovery document. Should it send the magic Accept header? Look for the X-XRDS-Location header in the response? Do HTML discovery? In practice, many implementers have had problems implementing discovery because there are too many ways to do it
> Speaking of Yadis, the specs need to be revised, and it’s unclear how to go about doing this
> Because a compromised discovery document can result in the complete breakdown in OpenID security – it’s important that we find ways to increase the security of discovery – perhaps it can be signed? Moved into DNS?
> Discovery is hard to implement – the majority of the code in OpenID libraries is to implement discovery. We can probably simplify discovery to require less code to implement
> Delegation is a really useful feature in OpenID – it was pretty straightforward in OpenID 1.1, but is very confusing (to say the least) in OpenID 2.0 – we can probably do something in discovery to make delegation work better
> The infamous NASCAR problem could possibly be helped by discovery
> The infamous phishing problem could also possibly be helped by discovery
> LRDD, host-meta, and webfinger are pretty interesting – we should see how OpenID can leverage these new specs
> 
> I’m sure that there are more issues with OpenID 2.0 discovery. Anyone else want to take a stab at it?
> 
> Allen
> 
> 
> On 5/21/10 7:55 PM, "Johannes Ernst" <jernst+openid.net at netmesh.us> wrote:
> 
>> On May 21, 2010, at 19:28, Allen Tom wrote:
>> 
>>> ... there’s universal consensus that the existing OpenID 2.0 discovery mechanism is very deficient ...
>> 
>> Is there a summary somewhere of this "universal consensus" of deficiencies?
>> 
>> Thanks,
>> 
>> 
>> Johannes Ernst
>> NetMesh Inc.
>> 
>> 
>> 
>> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20100523/3e7271d1/attachment.html>

More information about the specs mailing list