OpenID 1.2 Extensions Proposal

Jonathan Daugherty cygnus at
Fri Apr 7 21:27:01 UTC 2006

# So, from my understanding, 1.2 should do three things:
# <snip>
# 3) Replace OpenID discovery and delegation with YADIS, though
# preserve the recommendation of backwards compatibility

You beat me to it. :) We'd very much like to see 1.2 specify the use
of Yadis discovery in OpenID with fallback to the current behavior if
Yadis can't be performed.

We have a few more requests.  There are security details in the
current OpenID spec (like "Your OpenID consumer library should most
likely add a self-signed nonce with consumer-local timestamp ...").
All too often, first-time readers of the spec miss details like this
because they're pretty well-embedded.  We think it would be great if
some of these details were factored out into a more explicit "Security
Notes" section.  It would be very helpful if this section also clearly
enumerates the trade-offs specific to each security feature.  The spec
should also mention SSL (at least a recommendation).  Sound

  Jonathan Daugherty
  JanRain, Inc.

More information about the yadis mailing list