OpenID 1.2 Extensions Proposal
Jonathan Daugherty
cygnus at janrain.com
Fri Apr 7 21:27:01 UTC 2006
# So, from my understanding, 1.2 should do three things:
#
# <snip>
#
# 3) Replace OpenID discovery and delegation with YADIS, though
# preserve the recommendation of backwards compatibility
You beat me to it. :) We'd very much like to see 1.2 specify the use
of Yadis discovery in OpenID with fallback to the current behavior if
Yadis can't be performed.
We have a few more requests. There are security details in the
current OpenID spec (like "Your OpenID consumer library should most
likely add a self-signed nonce with consumer-local timestamp ...").
All too often, first-time readers of the spec miss details like this
because they're pretty well-embedded. We think it would be great if
some of these details were factored out into a more explicit "Security
Notes" section. It would be very helpful if this section also clearly
enumerates the trade-offs specific to each security feature. The spec
should also mention SSL (at least a recommendation). Sound
reasonable?
--
Jonathan Daugherty
JanRain, Inc.
More information about the yadis
mailing list