[OpenID] Relying Party Best Practices

John Panzer jpanzer at aol.net
Thu Mar 8 00:24:54 UTC 2007


Simon Willison wrote:
> On 3/7/07, Martin Atkins <mart at degeneration.co.uk> wrote:
>   
>> I created this page on the wiki ages ago but never really did much to
>> promote it. I just added a few more items of my own, and restructured it
>> a little bit:
>>
>>      <http://openid.net/wiki/index.php/Relying_Party_Best_Practices>
>>
>> My thinking is that we could produce a bunch of best practices organised
>> into different "quality levels", which would hopefully cause sites to
>> aim towards maximum quality wherever possible, while making it clear
>> which things are pretty-much required for any kind of useful
>> implementation and which are just "would-be-nice" requirements.
>>     
>
> That's a really great list. I have one query about it:
>
> - Many-to-one relationship between Identity URLs and "user accounts"
> - Don't require users to choose locally-unique usernames
>
> These appear to be conflicting recommendations. For the second one,
> you advocate using the OpenID identifier as the primary identifier for
> a user, but in the first you emphasize that a user account should be
> able to have more than one OpenID associated with it. Even if you ask
> the user to select their "primary" OpenID you still run in to problems
> should they later ditch that one in favour of another. This could
> definitely be clarified.
>   
If you assume that the local user account need not have a local username 
(perhaps just an autogenerated UID), does this resolve the problem?

OpenID1 --> UID1
OpenID2 --> UID1

No local user name, yet they can ditch OpenID1 without affecting OpenID2.

Also:

"/[TODO: Perhaps define a rel="..." keyword for OpenID identifiers, so 
that interested software can grovel for them?]"/

I think that the hCard microformat handles this nicely, using "uid":

<span class="vcard"><a class="url fn uid"  
href="http://john.example.com">John Bloggs</a></span>

(Per related discussions on microformats-discuss mailing list.)

I really like this page.  I wonder if it's appropriate to start 
documenting "commonly used attributes" in which RPs are commonly 
interested ?  (Nickname, website, email...)

Regards,
John Panzer

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070307/5849d6e0/attachment-0002.htm>


More information about the general mailing list