Johnny Bufu wrote: > This is basically a push approach, as opposed to the pull approach > you were suggesting.
I'm new to OpenID, and no engineer, but I have to say that I have a bad feeling about this 'push' approach. It inverts the relationship between client and server and seems entirely contrary to the stateless spirit of the Web: * The RP can't know the status of the information it is working with - it just have to assume that the attributes it has in store are up-to-date. * If an OP fails to update an attribute, the RP will never know - no fall-backs can be implemented. * When updating, the OP impose a previous address structure upon the Web, regardless of how it is actually organized now. * While the RP's requests the information, the OP is made responsible for doing the work associated with distributing it. * The OP must donate storage space to support the distribution of information to RP's it has no direct interest in. A malicious RP may even exploit this storage space for own purposes. * Attributes are not easily referenced to, say, sub-contractors of an RP. The model impose limits upon the complexity of the services that may be derived from it. Regards, Anders Feder _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs