<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Allen, combining what you just wrote with what Brian said on the board mailing list about MRDs -- perhaps it would make sense to set up a "bug tracking system" of some kind and use that to drive spec evolution?<div><br><div><div>On May 23, 2010, at 18:56, Allen Tom wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>
<font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">Hi Johannes,<br>
<br>
There isn’t a document summarizing the deficiencies with OpenID 2.0 discovery – I think it would be very useful for the WG and for the Community if we wrote this down<br>
<br>
Off the top of my head, some of the problems are:<br>
<br>
</span></font><ul><li><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">Yadis discovery is very vague as to exactly how the RP is supposed to fetch the OP’s discovery document. Should it send the magic Accept header? Look for the X-XRDS-Location header in the response? Do HTML discovery? In practice, many implementers have had problems implementing discovery because there are too many ways to do it
</span></font></li><li><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">Speaking of Yadis, the specs need to be revised, and it’s unclear how to go about doing this
</span></font></li><li><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">Because a compromised discovery document can result in the complete breakdown in OpenID security – it’s important that we find ways to increase the security of discovery – perhaps it can be signed? Moved into DNS?
</span></font></li><li><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">Discovery is hard to implement – the majority of the code in OpenID libraries is to implement discovery. We can probably simplify discovery to require less code to implement
</span></font></li><li><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">Delegation is a really useful feature in OpenID – it was pretty straightforward in OpenID 1.1, but is very confusing (to say the least) in OpenID 2.0 – we can probably do something in discovery to make delegation work better
</span></font></li><li><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">The infamous NASCAR problem could possibly be helped by discovery
</span></font></li><li><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">The infamous phishing problem could also possibly be helped by discovery
</span></font></li><li><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">LRDD, host-meta, and webfinger are pretty interesting – we should see how OpenID can leverage these new specs<br>
</span></font></li></ul><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt"><br>
I’m sure that there are more issues with OpenID 2.0 discovery. Anyone else want to take a stab at it?<br>
<br>
Allen<br>
<br>
<br>
On 5/21/10 7:55 PM, "Johannes Ernst" <<a href="x-msg://6/jernst+openid.net@netmesh.us">jernst+openid.net@netmesh.us</a>> wrote:<br>
<br>
</span></font><blockquote type="cite"><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">On May 21, 2010, at 19:28, Allen Tom wrote:<br>
<br>
</span></font><blockquote type="cite"><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">... there’s universal consensus that the existing OpenID 2.0 discovery mechanism is very deficient ...<br>
</span></font></blockquote><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt"><br>
Is there a summary somewhere of this "universal consensus" of deficiencies?<br>
<br>
Thanks,<br>
<br>
<br>
</span></font><font face="Helvetica, Verdana, Arial"><span style="font-size:12pt">Johannes Ernst<br>
NetMesh Inc.<br>
<br>
</span></font><font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt"><br>
<br>
<br>
</span></font></blockquote>
</div>
</blockquote></div><br></div></body></html>