Server-to-server channel

Martin Atkins mart at degeneration.co.uk
Thu Apr 5 23:22:33 UTC 2007


Chris Drake wrote:
> Hi Martin,
> 
> Yes - sorry - I accidentally hit "reply" instead of "reply all". I
> later did re-post to the list though.  For the benefit of the list,
> your reply is at the end here.
> 
> Re-reading my reply, I think my wording sounded pretty strong, and I
> might not have made it clear that I'm not pushing for 100% of data to
> "live" at the OP: rather - I want to give the user a choice in the
> matter (that is - after all - the entire spirit of "user-centric"). I
> want users to have the *option* to decide whether to "sign up" to RP#A
> or RP#B, and be able to base their decision upon the data-handling and
> protection practices of the RP.  Some RP's will want to store
> everything just like they do today.  Some will want to embrace user
> centricity and give their customers full control, and most will
> probably tread a line somewhere inbetween.
> 
> As long as we build something that supports all this, then we can
> leave it up to the normal market forces to steer the "Identity future"
> the way they want - with the key issue (for us) being that OpenID has
> the chance to persist in this future.  Right now - OpenID is right at
> the bottom of the pile, being almost the worst "Identity 2.0" protocol
> currently on the market.  IMHO - this is a problem that's easily
> fixed.
> 

I believe we are aiming for much the same thing, though perhaps I'm 
coming at it from a different perspective. My original message was 
proposing support for expressing the user's desires for how long 
particular data items should be retained without refreshing them, which 
seems to fit into your world view as described above.

I was simply suggesting that expecting RPs to retain *no information at 
all* is unrealistic, and so we should provide a mechanism for users to 
express how they would like their data to be used rather than just 
assuming that RPs will retain nothing.

> I wrote:
>>> Yes - this could be a tough drain on RP and OP resources.  Tough.
> You wrote:
> MA> You can't just wash your hands of this problem because it doesn't suit
> MA> your rather bizarre idea about how the world should be. Sites need to be
> 
> I contest that I *am* allowed to "wash my hands" at this point,
> because it is absolutely my problem: I operate an OP, and I'm involved
> in helping RPs accomplish "Web 2.0" goals.  I'm smack in the middle of
> all the consequences that flow from allowing users to control their
> own data howsoever they wish. 
> 
> I further contest that the idea of me being in control of my own
> information about me is not bizarre.  It might not be how anything on
> the web works today - true - but I'm pretty confident this is
> something most people do, or will, want.
> 
> Imagine you're at the newsagent buying a magazine.  You hand over
> your credit card, and the shopkeeper says "No problem - I'm happy to
> sell you your goods, but I need you to first agree to let me make a
> photocopy of your credit card, grab you name and email address, and 
> keep it in all on our files for the next 10 years.  Oh - and we'll
> need to be sending you the occasional marketing message from time to
> time over those 10 years as well."
> 
> Now *that* is something that almost everyone will agree is bizarre.
> 

Note that I was focusing on the example you gave of a user's name, 
rather than of a user's credit card information. Different data deserves 
different treatment. I'll wholeheartedly agree that it's undesirable for 
a vendor to retain credit card information — they currently do so 
largely because there's nowhere else that it can be centrally stored and 
retrieved, but AX changes that — but other data such as a user's name 
are another matter.

When I meet people, I routinely tell them my name. I don't expect them 
to immediately forget my name after our conversation — in fact, like 
most people, I'm probably subconsciously offended when people *don't* 
remember my name. I control people's access to that data by simply not 
telling them in the first place.

I think that what we can take from this misunderstanding is that not 
only do different *attributes* have different usage expectations, but 
also different *situations* have different usage expectations: you're 
largely focusing on businesses and financial transactions, while I'm 
largely focusing on social situations such as forums, weblogs and social 
networking. This may be caused by a difference in our backgrounds or 
interests, but whatever the reason it does show that different 
situations call for different behavior, and is yet another reason why 
users should be able to express their desires on a case-by-case basis if 
it is important for them to do so. I like Vinay's subsequent suggestion 
that this somehow be made legally binding, although I'm not sufficiently 
knowledgable about the relevant law to know how that can be put into 
practice.


[snip]



More information about the specs mailing list