[OpenID] Relying Party Best Practices
John Panzer
jpanzer at aol.net
Thu Mar 8 00:24:54 UTC 2007
Simon Willison wrote:
> On 3/7/07, Martin Atkins <mart at degeneration.co.uk> wrote:
>
>> I created this page on the wiki ages ago but never really did much to
>> promote it. I just added a few more items of my own, and restructured it
>> a little bit:
>>
>> <http://openid.net/wiki/index.php/Relying_Party_Best_Practices>
>>
>> My thinking is that we could produce a bunch of best practices organised
>> into different "quality levels", which would hopefully cause sites to
>> aim towards maximum quality wherever possible, while making it clear
>> which things are pretty-much required for any kind of useful
>> implementation and which are just "would-be-nice" requirements.
>>
>
> That's a really great list. I have one query about it:
>
> - Many-to-one relationship between Identity URLs and "user accounts"
> - Don't require users to choose locally-unique usernames
>
> These appear to be conflicting recommendations. For the second one,
> you advocate using the OpenID identifier as the primary identifier for
> a user, but in the first you emphasize that a user account should be
> able to have more than one OpenID associated with it. Even if you ask
> the user to select their "primary" OpenID you still run in to problems
> should they later ditch that one in favour of another. This could
> definitely be clarified.
>
If you assume that the local user account need not have a local username
(perhaps just an autogenerated UID), does this resolve the problem?
OpenID1 --> UID1
OpenID2 --> UID1
No local user name, yet they can ditch OpenID1 without affecting OpenID2.
Also:
"/[TODO: Perhaps define a rel="..." keyword for OpenID identifiers, so
that interested software can grovel for them?]"/
I think that the hCard microformat handles this nicely, using "uid":
<span class="vcard"><a class="url fn uid"
href="http://john.example.com">John Bloggs</a></span>
(Per related discussions on microformats-discuss mailing list.)
I really like this page. I wonder if it's appropriate to start
documenting "commonly used attributes" in which RPs are commonly
interested ? (Nickname, website, email...)
Regards,
John Panzer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070307/5849d6e0/attachment-0002.htm>
More information about the general
mailing list