[OpenID] Relying Party Best Practices

Martin Atkins mart at degeneration.co.uk
Fri Mar 9 18:51:59 UTC 2007

Jason Salaz wrote:
> I disagree (in some manners) with two of your "Brilliant" practice ideas.
> 1) Don't require users to choose locally-unique usernames
> 2) Allow, but do not require, users to attach a handle or name to
> their identity

> (Do IdP's expire "Allow once" requests after a period of time? They
> probably should...)

IdP's really shouldn't be storing those persistently at all.

> My idea, is that on casual websites, you SHOULD NOT expose the user's
> OpenID unless they request it.
> On sites like Jyte, or vIdentity, or any other socially based site.
> Well, you're an idiot if you're trying to have privacy on a public
> profile site, so they are a welcome exception.
> I am all in favor of site specific usernames. After all, I know *I*
> like being "Inuyasha14" on anime forums, but I also like being
> "XboxSucks247" on gaming forums.
> (Not really, but I hope you understand the point I'm trying to make :P.)

The solution I would promote for this is for IdPs to remove the 
one-to-one relationship between account and identifier. My IdP should 
allow me to create additional identifiers attached to my single account 
so that I can present these different identities without having to keep 
logging in and out.

This way it is in the user's power to decide which site accounts should 
be "linked" by using the same identifier and which should not. If you're 
known as Inuyasha14 on a bunch of anime forums but then someone comes 
along and signs up as Inuyasha14 on another anime forum it would 
initially appear that this person is you. However, if you're OpenID 
authenticated as inuyasha14.myopenid.com on all of the anime sites, it's 
possible to carry your identity securely between sites.

When you post on a gaming forum, though, you can create a second 
identifier at myopenid.com and be xboxsucks247.

With the help of the directed identity feature of OpenID 2.0, your IdP 
will be able to help you randomly choose a meaningless, one-time 
identifier for a particular site, too.

> My OpenID is tied to my domain, my livejournal, and my aim name.
> How should I fix that? Especially if I want to use the OpenID provided
> by my domain, by my livejournal, by my aim name...
> My domain has WHOIS data that can identify me.
> My LiveJournal... well, I don't need to explain that one.
> My AIM has a profile, and provides you with the ability to contact/hassle me.
> All of these need to have the ability to be mitigated.

If you don't wish to have these ties, use an OpenID-only provider such 
as MyOpenID.com.

> Just because we now have this ability for all of your information to
> be centralized, doesn't mean we have to FORCE it to be that way.
> Some people like to go do the things they want to do, but they don't
> want all of this profile information slung around. Not to even mention
> this is probably one of many reasons why MyOpenID supports personas.

Indeed. Under the local-username regime, you are FORCED to have a 
separate identity for each site. Under OpenID, you have the OPTION of 
linking your identities. No-one is forcing you.

However, having the option of linking identities across sites gives you 
the ability to build a reputation outside of a single community, which 
can be valuable for several applications.

The PRIMARY PURPOSE of OpenID is to make it possible to have 
globally-applicable identifiers, but there's no reason why each person 
must have exactly one.

> When I implement OpenID into my site, I will ask users to pick a
> nickname/nice name for themselves.
> Actually, I'll ask for it in Attribute Exchange, and if it's not
> defined, then I'll ask.
> But I DO want them to have one.

...and if your site is at all popular, I'm going to end up having some 
horrific name like martmartmart12345, despite the fact that I already 
have a perfectly good OpenID identifier which I like.

> Having URIs in every location a user publishes data is going to get
> real ugly real fast.
> Besides, do you really want to see: "thebestpageintheuniverse.net"
> everywhere? That's a styling and readability nightmare.
> I'd much rather he have set (and use) "Maddox" instead.

That's the motivation behind the second point you disagreed with. 
Identifying people primarily by URLs is ugly, so let them just enter 
their own name or nickname and use that… but make the OpenID identifier 
available so that it's possible to disambiguate users if it becomes 
necessary. You don't need to display the identifiers in the visible page 
if you don't want to; making the user's name a link to the identifier, 
or a link to the profile page containing the identifier, would do the trick.

More information about the general mailing list