RE: [security-services] Simple Sign not so simple

["Scott Cantor" <cantor.2@osu.edu>]

> Perhaps it would have been better not to report at all rather than
> report late.

I don't think it's unreasonable to consider a higher bar for reopening a
spec vs. just adding text to one that's still undergoing changes. At that
point, clarifying issues that were apparently clear to most implementers is
not the same as actual missing processing rules.

> You guys are insiders (well, I guess I am too -- and I did not have
problem
> implementing, but I saw various pitfalls I reported) and the fact that
> the insiders happen to think in like ways does not equate to it being
> obvious to an outsider.

The people that I knew implementing this originally were not insiders. So
basically they were the guidance for us on what was confusing and what
wasn't (heck, the whole spec changed because of their testing). It's not a
question of inside vs. outside. Everybody thinks differently.

> The success of OpenID has much to do with not burdening outsiders
> with having to guess what the insider's intent was.

I'll refrain from commenting on what I think its "success" is due to, but
suffice to say that wouldn't be in my top 5.

-- Scott