> If these four issues are resolved, can we call the OpenID 2.0 > Authentication specification done? Speak up if you have any other > show-stoppers. > > Josh
Yesterday, Dmitry and I had a long talk about browser support for OpenID. I think it is consensus between us two to state, that there are lots of snares for browsers, if there will be no ways for browsers to detect OPs or even RPs. As of today browsers are forced to make untenable assumptions to detect OPs or RPs. Read http://openid.net/specs/openid-authentication-2_0-11.html#initiation: "The form field's "name" attribute SHOULD have the value "openid_identifier" is the only point for a browser to grip the protocol. (And the field name is different from OpenID1.x) We also discussed the fact that the spec does not provide any hints WHEN in the flow of the protocol the RP-OP transition takes place. It is valid that between entering an openid at an RP site and redirecting to an OP lots of pages get displayed by the RP (as part of non sreg registration, for exampe). OpenID2.0 allowing for POST redirects adds to this. Therefor hints for robust OP detection would not hurt either. -- Boris _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs
