OpenID Authentication 2.1
Convener: David Recordon, John B
- John Bradley
- Dan Balfanz
- Martin Atkins,
- Scott Blumquist,
- Breno de Mediros,
- Yariv Adam,
- Jorgen Thelin,
- Mike Mell,
- Mike Jones,
- Jim Pravetz,
- John Panzer,
- Alberto Cobas,
- Brian Eaton,
- Will Norris,
- Henrik Biering,
- David Richards,
- Raj Mata,
- Mike Lee,
- Allan Schiffman,
- Gabe Wachob,
- Eran Hammer,
- Joseph Holsten,
- Kannan Seshadri
Technology Discussed/Considered: OpenID
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
2.0 has been finalized
bunch of implementations
found lots of spec bugs
also gone and done oauth and email addresses and other things. Can we support these in the core spec?
- Making the spec more readable and fixing bugs (eratta)
- Error handling
- Adding a security appendix
- could be a separate document referred to by the spec
- possibly produced by separate group
- Who controls this security page?
- Security committee could look after this.
- or Allen at Yahoo! will be editing a security document
- Clarifying XRI
- Currently there's no firm message about whether RPs MUST support XRIs or not.
- Need to clarify how exactly XRI should be used with OpenID.
- Similar to the whitelist question.
- Clarify if RPs can white or blacklist what OPs they accept, and vice-versa.
- Discovery of type of identifiers an RP supports.
- Clarifying IRI
- Updating discovery. Possibly including the new-fangled XRD discovery.
- Clarifying whether association over SSL must/can use diffie-hellman.
- Discovery of support of checkid_immediate.
- Signature mechanisms. Looking at additionally supporting the mechanisms defined in OAuth so that they can be closer together.
- Possibly deprecating the current signature mechanism.
- Public keys?
- Email-shaped identifiers for OpenID
- Could be a separate working group?
There was consensus that email-shaped identifiers would be worked on by a separate group and possibly rolled into 2.1 if it's done in time.
- Smart/rich clients?
- Could be in this WG unless it ends up being a big change in which case it could be its own WG.
- There's another session about this.