<HTML>
<HEAD>
<TITLE>Re: [OIDFSC] OpenID v.Next Discovery Working Group Proposal</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hi Johannes,<BR>
<BR>
There isn’t a document summarizing the deficiencies with OpenID 2.0 discovery – I think it would be very useful for the WG and for the Community if we wrote this down<BR>
<BR>
Off the top of my head, some of the problems are:<BR>
<BR>
</SPAN></FONT><UL><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Yadis discovery is very vague as to exactly how the RP is supposed to fetch the OP’s discovery document. Should it send the magic Accept header? Look for the X-XRDS-Location header in the response? Do HTML discovery? In practice, many implementers have had problems implementing discovery because there are too many ways to do it
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Speaking of Yadis, the specs need to be revised, and it’s unclear how to go about doing this
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Because a compromised discovery document can result in the complete breakdown in OpenID security – it’s important that we find ways to increase the security of discovery – perhaps it can be signed? Moved into DNS?
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Discovery is hard to implement – the majority of the code in OpenID libraries is to implement discovery. We can probably simplify discovery to require less code to implement
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Delegation is a really useful feature in OpenID – it was pretty straightforward in OpenID 1.1, but is very confusing (to say the least) in OpenID 2.0 – we can probably do something in discovery to make delegation work better
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>The infamous NASCAR problem could possibly be helped by discovery
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>The infamous phishing problem could also possibly be helped by discovery
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>LRDD, host-meta, and webfinger are pretty interesting – we should see how OpenID can leverage these new specs<BR>
</SPAN></FONT></UL><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'><BR>
I’m sure that there are more issues with OpenID 2.0 discovery. Anyone else want to take a stab at it?<BR>
<BR>
Allen<BR>
<BR>
<BR>
On 5/21/10 7:55 PM, "Johannes Ernst" <<a href="jernst+openid.net@netmesh.us">jernst+openid.net@netmesh.us</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>On May 21, 2010, at 19:28, Allen Tom wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>... there’s universal consensus that the existing OpenID 2.0 discovery mechanism is very deficient ...<BR>
</SPAN></FONT></BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'><BR>
Is there a summary somewhere of this "universal consensus" of deficiencies?<BR>
<BR>
Thanks,<BR>
<BR>
<BR>
</SPAN></FONT><FONT FACE="Helvetica, Verdana, Arial"><SPAN STYLE='font-size:12pt'>Johannes Ernst<BR>
NetMesh Inc.<BR>
<BR>
</SPAN></FONT><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'><BR>
<BR>
<BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>