[OpenID] Relying Party Best Practices

Jason Salaz jason at zenenet.com
Fri Mar 9 18:27:50 UTC 2007


Ok, it's about time I chime in on this topic, just in it's own chain
of discussion, as I have a few minutes to punch out my thoughts into a
written form (in full, at least).

I disagree (in some manners) with two of your "Brilliant" practice ideas.

1) Don't require users to choose locally-unique usernames
2) Allow, but do not require, users to attach a handle or name to
their identity

First off, I would like to ask you all to you're probably best off
reading through
http://jyte.com/cl/openid-consuming-sites-should-not-expose-users-openids-by-default

( Also, read the original idea I linked to in-summary where I
over-stated my idea :P. Original idea being
http://jyte.com/cl/openid-consuming-sites-should-not-expose-users-openids
)

OpenID is a very scary to some people.  If you compromise an account,
you have that persons keys to the kingdom.  Due to trust_root, you can
see completely where people have been.

(Do IdP's expire "Allow once" requests after a period of time? They
probably should...)

My idea, is that on casual websites, you SHOULD NOT expose the user's
OpenID unless they request it.
On sites like Jyte, or vIdentity, or any other socially based site.
Well, you're an idiot if you're trying to have privacy on a public
profile site, so they are a welcome exception.

I am all in favor of site specific usernames. After all, I know *I*
like being "Inuyasha14" on anime forums, but I also like being
"XboxSucks247" on gaming forums.
(Not really, but I hope you understand the point I'm trying to make :P.)

People will want anonymity, or at least not
personally-identifying/tracking identity.

With the current scope of things, they sign up for a unique and
non-descript username.  But if that goes by the wayside, anyone will
be able to link you to everything you do.  It IS a VERY scary thought.

Not to mention (as I said on Jyte) that:
"
My OpenID is tied to my domain, my livejournal, and my aim name.

How should I fix that? Especially if I want to use the OpenID provided
by my domain, by my livejournal, by my aim name...
"

My domain has WHOIS data that can identify me.
My LiveJournal... well, I don't need to explain that one.
My AIM has a profile, and provides you with the ability to contact/hassle me.

All of these need to have the ability to be mitigated.

Just because we now have this ability for all of your information to
be centralized, doesn't mean we have to FORCE it to be that way.
Some people like to go do the things they want to do, but they don't
want all of this profile information slung around. Not to even mention
this is probably one of many reasons why MyOpenID supports personas.

When I implement OpenID into my site, I will ask users to pick a
nickname/nice name for themselves.
Actually, I'll ask for it in Attribute Exchange, and if it's not
defined, then I'll ask.
But I DO want them to have one.

Having URIs in every location a user publishes data is going to get
real ugly real fast.

Besides, do you really want to see: "thebestpageintheuniverse.net"
everywhere? That's a styling and readability nightmare.
I'd much rather he have set (and use) "Maddox" instead.

I absolutely do NOT agree that "Site specific usernames must go!" is a
briliant idea, not even a good idea.
It's very bad, and it will shut off OpenID appeal very quickly to
privacy advocates, among others.

If someone has a mini-profile page (say for example on a forum),
OpenID identifiers need not always be shown!



More information about the general mailing list