Terminology requirements (was RE: OP Identifier vs. OP-Specific Identifier)

Drummond Reed drummond.reed at cordance.net
Tue Nov 21 04:02:21 UTC 2006


>>On 11/19/06, Recordon, David <drecordon at verisign.com> wrote:
>> So I'm working on cleaning up the terminology section
>...
>>  - Public Identifier (tries to create context)
>>  - Private Identifier (tries to create context)
>>  - Privacy-protected login (have we even defined this)
>
>Josh Hoyt wrote:
>
>These terms are related to use cases for Id^H^HOP-driven identifier
selection.
>
>I don't like these terms because "public" and "private" don't really
>describe what's going on. OP-driven identifier selection makes it much
>easier to control the amount of correlation between the identifiers,
>but an identifier that cannot be correlated between sites does not
>mean that it's "private."
>
>The thing that makes it especially misleading is that I might decide
>that I want to be correlated between two sites (and only two sites)
>because I want them to know that I'm the same person. Is that
>identifier public or private?

By the definition offered on http://openid.net/wiki/index.php/Terminology,
it's Private. Any OpenID identifier that the End User guards to limit
correlation (whether by 1 site, 2 sites, 3 sites, or 100 sites) is Private.
Any identifier that the End User does not guard for for correlation purposes
(for example, publishes publicly, like a blog URL) are Public.

>Do we need to do all this work to describe *a* use case for OP-driven
>identifier selection?

My personal view: the value of the terms go beyond the specifics of just
this use case. They give us the tools to describe this key feature of OpenID
Authentication 2.0 in terms that developers, RPs, IdP/OPs, and End Users can
understand.

Clearly the Draft 10 spec was lacking in this respect when Eve Maler, who
knew exactly what she was looking for, couldn't figure out how this feature
worked after reading the spec, as she blogged at:

	http://www.xmlgrrl.com/blog/archives/2006/10/24/pseudonym-picking/ 

The terms "Public Identifier" (used by a number of folks on the list),
"Private Identifier" (proposed by Dick), and Privacy-Protected Login
(proposed by Saeed El-Darahali) were all proposed simply to meet the
requirements of needing a term to describe a key function of the spec.

To aid in analysis, I've added a Requirements table summarizing what I
understand the requirements are to:

	http://openid.net/wiki/index.php/Terminology

I personally am wide open to better terms meeting these requirements.

=Drummond 





More information about the specs mailing list