[OpenID] Sharing OpenID between sites (and APIs)

Stephen Paul Weber singpolyma at gmail.com
Mon Jan 29 22:14:39 UTC 2007


True... if one has never signed up to a site before and this happens
it would be a potential privacy breach (of course, it's easy enough to
do on a site-by-site basis now anyway, if you know the URL of the
login script).  I would definitely say not to blindly broadcast to all
sites... but having the sites accept the value if you send it to them
seems reasonable enough to me...

On 1/29/07, Eran Sandler <eran at sandler.co.il> wrote:
>
>
>
>
> George, you are correct, and perhaps I didn't say it before, but this was
> considering the fact that I already signed up to these sites using OpenID.
>
>
>
> So if I'm signed up with OpenID (specifically the same one) to LiveJournal
> and to Zooomr I will be able to switch between the two seamlessly as long as
> I'm authenticated at my OpenID server.
>
> The trick that I was referring to is to overcome the limitation of cookies
> being bound to a domain.
>
>
>
> Having a plugin like Sxipper is great but it's a plugin and people need to
> download and install it and if we want OpenID to get to a greater audience
> perhaps things like the planned integration with FireFox 3.0 is the way to
> go (though I haven't read any of its details yet).
>
>
>
> Eran
>
>
>
>
>
> From: George Fletcher [mailto:gffletch at aol.com]
>  Sent: Monday, January 29, 2007 7:42 PM
>  To: Tan, William
>  Cc: Eran Sandler; general at openid.net
>  Subject: Re: [OpenID] Sharing OpenID between sites (and APIs)
>
>
>
>
> +1
>
>  As a user I don't want my OpenID propagated to another site for
> Single-Sign-on without the option to determine whether I want to be
> authenticated at that site or not.  Just because I can be authenticated at a
> site (e.g. digg or slashdot) doesn't mean I want to be.
>
>  Existing browser form fills (or the sxipper plugin) do this already by
> recognizing the OpenID form field and offering to automatically fill it in.
> This means I don't have to type it in every time and yet allows me the
> flexibility to determine when I want to authenticate and when I don't.
>
>  Thanks,
>  George
>
>  Tan, William wrote:
>
>  However, an RP (or OP) wouldn't randomly link to another site giving it
> the openid_url of the logged in user since that would be a huge security
> concern. I assume the use case is for keeping the user logged in within
> affiliated sites only, kind of like moving between gmail and gcalendar
> or something like that.
>
> If the first RP that appends the openid_url parameter can be certain
> that the target will process it and then redirect away to a URL with no
> private information, then that's fine.
>
>
> =wil
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>


-- 
- Stephen Paul Weber, Amateur Writer
<http://www.awriterz.org>

MSN/GTalk/Jabber: singpolyma at gmail.com
ICQ/AIM: 103332966
BLOG: http://singpolyma-tech.blogspot.com/



More information about the general mailing list