[OpenID] "Consumer-Ping-Service" for OpenID Providers

Thomas Huhn thomas.huhn at gmail.com
Thu Mar 8 10:46:44 UTC 2007


As I had posted the same topic on my blog (
http://www.solution-media.de/blog/2007/03/06/openid-consumer-ping-service/)
I would like to post the results of the discussion over there to the
mailinglist:
Reader Comments  Comment Number:1Written by:Evan Prodromou<https://certifi.ca/>
Posted on:March 8, 2007 at 12:31 am
Edit<http://www.solution-media.de/blog/wp-admin/post.php?action=editcomment&comment=28>

This sounds like a very useful service for the OpenID community. However,
for the individual OpenID user, I think there's a danger of privacy
violation. I don't think part of the implicit "social contract" of OpenID is
that trust roots of RPs that a user is logging into get published to another
site without their consent. In fact, I don't think any part of the user's
login should be reported to a third party without their knowledge or
consent.

For example, if I were starting a new, unlaunched Web site, and I was
testing its OpenID functionality, I'd be pretty mad if its trust root URL
showed up in a public directory. If the trust root was for an embarrassing
web site, or if it included personally-identifying information, I think it
would also be a problem.

I think that there's a possibility for using this service that would
minimize intrusion and privacy concerns. A couple of ideas: an opt-in
checkbox on the trust form for when the user first logs in using some trust
root ("(Optional) Add this trust root to the OpenID Directory?"), and
caching trust roots at the IdP side so it doesn't ask unless the URL is
really new.
  Comment Number:2Written by:thuhn<http://www.solution-media.de/blog/?page_id=2>
Posted on:March 8, 2007 at 11:34 am
Edit<http://www.solution-media.de/blog/wp-admin/post.php?action=editcomment&comment=29>

Hi Evan,
I absolutely agree on the checkbox idea. I already proposed this on the
OpenID general mailinglist. I think it fits in well on the screen you see
when you first login to a site.

The caching mechanism could even be improved if we would offer a
ping-service that allows you to check if the trustroot is already submitted
to the OpenID Directory (after checking that the URL is new to the IdPs own
database).

But as we are coming closer to the relaunch of the OIDD we may have to
rethink the ping-service again. The new OIDD will have OpenID login (and
nothing else [image: ;-)] ) and the possibility to take control of the
title, description, thumbnail etc. of the sites you submitted yourself.

But who should submit sites at all? The webmasters themselfs, I think. For
the moment we do not ckeck if the submitter of a site is its owner (by
micro-ids e.g.), but this can be an issue if we get complaints about this
liberal practice.

So the question is if we should leave it up to the user of an IdP to add a
site to the OIDD or should we at least try to catch only the webmasters by
simply putting a button there saying "Are you the webmaster of this
trustroot? Add your site to the public OpenID Directory for free!". This
could jump to a new window (not interrupting the login process) leading the
webmaster to the OIDD submission. Here he can take full control over the
represantation of his site.

BTW, this would mean less manual work for the editors of the OIDD and better
control for webmasters. This would also mean omitting the auto-submission
and replacing it by a simple service that returns you a yes or no answer for
the question if a trustroot is already listed on the OIDD.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070308/e92f1890/attachment-0002.htm>


More information about the general mailing list