OpenID Authentication 2.1

From IIW

Convener: David Recordon, John B

Notes-taker: Martin


  • John Bradley
  • Dan Balfanz
  • Martin Atkins,
  • AxelNennker,
  • Scott Blumquist,
  • Breno de Mediros,
  • Yariv Adam,
  • Jorgen Thelin,
  • Mike Mell,
  • Mike Jones,
  • Jim Pravetz,
  • John Panzer,
  • Alberto Cobas,
  • Brian Eaton,
  • Will Norris,
  • Henrik Biering,
  • David Richards,
  • Raj Mata,
  • Mike Lee,
  • Allan Schiffman,
  • Gabe Wachob,
  • Eran Hammer,
  • Joseph Holsten,
  • Kannan Seshadri

Technology Discussed/Considered: OpenID

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

2.0 has been finalized

bunch of implementations

found lots of spec bugs

also gone and done oauth and email addresses and other things. Can we support these in the core spec?

  • Making the spec more readable and fixing bugs (eratta)
    • Delegation
      • Error handling
  • Adding a security appendix
    • could be a separate document referred to by the spec
    • possibly produced by separate group
    • Who controls this security page?
      • Security committee could look after this.
      • or Allen at Yahoo! will be editing a security document
  • Clarifying XRI
    • Currently there's no firm message about whether RPs MUST support XRIs or not.
    • Need to clarify how exactly XRI should be used with OpenID.
    • Similar to the whitelist question.
  • Clarify if RPs can white or blacklist what OPs they accept, and vice-versa.
    • Discovery of type of identifiers an RP supports.
  • Clarifying IRI
  • Updating discovery. Possibly including the new-fangled XRD discovery.
  • Clarifying whether association over SSL must/can use diffie-hellman.
  • Discovery of support of checkid_immediate.

Exploratory work:

  • Signature mechanisms. Looking at additionally supporting the mechanisms defined in OAuth so that they can be closer together.
    • Possibly deprecating the current signature mechanism.
    • Public keys?

  • Email-shaped identifiers for OpenID
    • Could be a separate working group?

There was consensus that email-shaped identifiers would be worked on by a separate group and possibly rolled into 2.1 if it's done in time.

  • Smart/rich clients?
    • Could be in this WG unless it ends up being a big change in which case it could be its own WG.
    • There's another session about this.