The OpenID v.Next session at IIW run by David Recordon and Dick Hardt reached some important conclusions about the future of OpenID. The motivation for the v.Next discussion was the sense that we’ve learned enough since the OpenID 2.0 specification was finalized that it’s time to revise the spec to incorporate what we’ve learned. This session attempted to reach a consensus on the priorities for the next version of OpenID, with a large number of the important players participating. I haven’t seen the decisions made published elsewhere, so I’m recording them here.
David organized the session around a stated goal of producing an evolved OpenID specification within the next six months. The consensus goals reached were as follows. The numbers represent the number of participants who said that they would work on that feature in the next six months.
- Integrating the UX extension (in which the user interacts with the OP in a pop-up window) into the core specification: 12
- Evolving the discovery specification for OpenID, including adding OpenIDs using e-mail address syntax: 10
- Integrating attributes (claims) into the core specification: 9
- Integrating the OAuth Hybrid specification into the core specification: 8
- Supporting an optional active client (identity selector) and non-browser applications: 8
- Improve security, including investigating enabling use at levels of assurance above NIST level 1: 8
- Better support for mobile devices: 8
- Addressing the problem of long URLs (where browsers limit URL length to 2048 or sometimes 256 characters): 6
And in case it isn’t obvious from reading the above, there was also an explicit consensus in the room that OpenID v.Next would not be backwards compatible with OpenID 2.0. (It will be related to, but not compatible with OpenID 2.0, analogously to how SAML 2.0 is related to, but not compatible with SAML 1.1.) I believe we have interesting and exciting times ahead!