OpenID status update

Ken Horn ken.horn at
Sun Jun 5 09:21:19 PDT 2005

Versioning is always a mare, but i think the main benefit is declaring
what your message (either from consumer to id server or the return, or
any other interaction) contains, ie is explicit. Without going for a
full negotiation, I think there's still value in the declaration. The
most significant benefit, imho, is the sig string -- it's completely
opaque. If we want to change its contents, without versioning, a new
parameter should probably be used. For previous examples, LDAP passwords
are most commonly stored as "{SHA1}63gadef838274ae492098" -- which is
obvious and secure - you don't even need to read a spec.

We have multiple implementations today with various, crypto inspired, 
changes being discussed. That means (assuming that we're all on the same 
page today) any changes at all should be potentially versioned in some 
way. How about just adding the revision number from the spec wiki page, 
so that if something doesn't work, it least there's a declaration of 
roughly how up to date each server thinks it is?

On another topic, it would be nice to be able to request a server to
help debug a problem. Perhaps a verbosity flag? For example, the
existing impls can show on the ajax dialoge the token the sig was
generated from, this type of thing will help adoption, since
implementors will be able to self diagnose a little better.


More information about the yadis mailing list