Security and protocol changes

Paul Crowley paul at
Wed Jun 1 18:31:58 PDT 2005

Brad asked me to look over the security of OpenID just over two weeks
ago, before it all went public and when it was still called "yadis".
I've been busy at work for the last fortnight, but I do have several
suggestions about how things could be improved to bring OpenID closer to
best practice, and I'll go into details in future emails, using several
emails so different discussions get different threads.

However, I want to open with a plea: please don't be too resistant to
protocol changes at this early stage.  OpenID is barely a fortnight old
and currently has very few users.  I want OpenID to succeed, and be used
by millions of users for years.  It would seem like a terrible shame to
let the Wrong Thing persist for all that time for all those people
because it would inconvenience a few people now to fix it, especially
when those people are currently early adopters who are following
developments closely.  Now is the time to make the changes needed to get
the protocol right.

There's a story that the inventor of "make" woke up in the dead of night
one day and realised what a terrible mistake giving meaning to "tab"
was, but it was too late to change it - he already had a dozen users.
\/ o\ Paul Crowley, paul at

More information about the yadis mailing list