> . . . > 1. Identifier recycling. There are two different use cases for > identifier recycling. The first, and the one that most people who > I have talked to really want to solve is that of a large provider > that wants to allow re-use of parts of its namespace. The second > is if a user wants to relinquish control of an identifier without > relinquishing control of the places that they have used this > identifier. A concrete example of this is if I ever choose to stop > paying for j3h.us.
I wouldn't consider this a problem with the OpenID 2.0 spec. Its a more general problem with namespaces everywhere. This problem has already existed in the realm of e-mail for years (which I think is a great precedent for the problems we will (and do) face with OpenID). OpenID does an even better job of mitigating it because of built-in delegation. I think this should be left up to the OP to iron out (at least for now), and shouldn't be considered a block for finalizing the OpenID 2.0. > 2. Realm spoofing. This encompasses the attacks that Allen Tom has > described (using redirectors, proxies or XSS attacks) that create > new phishing opportunities and make certain types of phishing even > worse. There are solutions popping up like Verisign's plugin and our myVidoop implementation that are taking shots at how to battle phishing. Again, I don't think we should rest the responsibility of fixing these issues on the 2.0 spec's shoulders. In fact, I think we may be holding up development of the solutions to these problems by - not- finalizing. > > If these four issues are resolved, can we call the OpenID 2.0 > Authentication specification done? Speak up if you have any other > show-stoppers. IMO, its becoming increasingly important that the spec is finalized and saved from becoming vaporspec(?), even if it requires shelving issues until OpenID 2.1 or 2.5 (or God forbid, 3.0). RERO and what-not. Its more important to finalize the spec, release production-level code libraries and let people start developing against the new features. OpenID needs to start seeing 2.0 live -- in the wild -- soon. As it is, I know alot of people (vidoop included) are waiting for this finalization before we officially implement the spec. -Sam _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
