This page is for collecting additional requirements that are not made clear in the published OpenID Authentication 2.0 specification, for reference in the short term and for possible incorporation into the next version of OpenID Authentication in the longer term.
Extension fields may be included in the signature of a positive assertion. In this case, the namespace declaration (openid.ns.prefix) MUST also be signed. If it is not signed, then any fields declared with that prefix cannot be considered to be signed, as an attacker could tamper with the namespace declaration to change the meaning of the extension fields.
setup_needed responses must contain user_setup_urlOpenID 1.1 had a user_setup_url argument in this case, which told the RP where to send the user for setup. This was removed in OpenID 2.0 since it was perceived to be redundant: the RP should just do a checkid_setup request. In practice, OpenID RP libraries have been unable to implement this without breaking API compatibility, since they don't know the base URL in order to synthesize a setup URL. Therefore a number of OpenID 2.0 RP implementations actually fail if user_setup_url is not present, and therefore most OP implementations include it, in many cases setting it to be their own checkid_setup URL.
While this is actually an RP bug, it's widespread enough that at this point it might as well just be put back into the spec again so that the spec describes reality.
For interoperability, folks publishing HTML links for OpenID discovery should separate out the OpenID 1.1 and OpenID 2.0 links, despite the fact that merging them is allowed in HTML. There are many RPs that do not process HTML as per the HTML specification. For example:
<link rel="openid2.provider" href="http://factoryjoe.com/blog/?openid_server=1" /> <link rel="openid2.local_id" href="http://factoryjoe.com/blog/author/factoryjoe/" /> <link rel="openid.server" href="http://factoryjoe.com/blog/?openid_server=1" /> <link rel="openid.delegate" href="http://factoryjoe.com/blog/author/factoryjoe/" />