Server-to-server channel
Martin Atkins
mart at degeneration.co.uk
Thu Apr 5 23:22:33 UTC 2007
Chris Drake wrote:
> Hi Martin,
>
> Yes - sorry - I accidentally hit "reply" instead of "reply all". I
> later did re-post to the list though. For the benefit of the list,
> your reply is at the end here.
>
> Re-reading my reply, I think my wording sounded pretty strong, and I
> might not have made it clear that I'm not pushing for 100% of data to
> "live" at the OP: rather - I want to give the user a choice in the
> matter (that is - after all - the entire spirit of "user-centric"). I
> want users to have the *option* to decide whether to "sign up" to RP#A
> or RP#B, and be able to base their decision upon the data-handling and
> protection practices of the RP. Some RP's will want to store
> everything just like they do today. Some will want to embrace user
> centricity and give their customers full control, and most will
> probably tread a line somewhere inbetween.
>
> As long as we build something that supports all this, then we can
> leave it up to the normal market forces to steer the "Identity future"
> the way they want - with the key issue (for us) being that OpenID has
> the chance to persist in this future. Right now - OpenID is right at
> the bottom of the pile, being almost the worst "Identity 2.0" protocol
> currently on the market. IMHO - this is a problem that's easily
> fixed.
>
I believe we are aiming for much the same thing, though perhaps I'm
coming at it from a different perspective. My original message was
proposing support for expressing the user's desires for how long
particular data items should be retained without refreshing them, which
seems to fit into your world view as described above.
I was simply suggesting that expecting RPs to retain *no information at
all* is unrealistic, and so we should provide a mechanism for users to
express how they would like their data to be used rather than just
assuming that RPs will retain nothing.
> I wrote:
>>> Yes - this could be a tough drain on RP and OP resources. Tough.
> You wrote:
> MA> You can't just wash your hands of this problem because it doesn't suit
> MA> your rather bizarre idea about how the world should be. Sites need to be
>
> I contest that I *am* allowed to "wash my hands" at this point,
> because it is absolutely my problem: I operate an OP, and I'm involved
> in helping RPs accomplish "Web 2.0" goals. I'm smack in the middle of
> all the consequences that flow from allowing users to control their
> own data howsoever they wish.
>
> I further contest that the idea of me being in control of my own
> information about me is not bizarre. It might not be how anything on
> the web works today - true - but I'm pretty confident this is
> something most people do, or will, want.
>
> Imagine you're at the newsagent buying a magazine. You hand over
> your credit card, and the shopkeeper says "No problem - I'm happy to
> sell you your goods, but I need you to first agree to let me make a
> photocopy of your credit card, grab you name and email address, and
> keep it in all on our files for the next 10 years. Oh - and we'll
> need to be sending you the occasional marketing message from time to
> time over those 10 years as well."
>
> Now *that* is something that almost everyone will agree is bizarre.
>
Note that I was focusing on the example you gave of a user's name,
rather than of a user's credit card information. Different data deserves
different treatment. I'll wholeheartedly agree that it's undesirable for
a vendor to retain credit card information — they currently do so
largely because there's nowhere else that it can be centrally stored and
retrieved, but AX changes that — but other data such as a user's name
are another matter.
When I meet people, I routinely tell them my name. I don't expect them
to immediately forget my name after our conversation — in fact, like
most people, I'm probably subconsciously offended when people *don't*
remember my name. I control people's access to that data by simply not
telling them in the first place.
I think that what we can take from this misunderstanding is that not
only do different *attributes* have different usage expectations, but
also different *situations* have different usage expectations: you're
largely focusing on businesses and financial transactions, while I'm
largely focusing on social situations such as forums, weblogs and social
networking. This may be caused by a difference in our backgrounds or
interests, but whatever the reason it does show that different
situations call for different behavior, and is yet another reason why
users should be able to express their desires on a case-by-case basis if
it is important for them to do so. I like Vinay's subsequent suggestion
that this somehow be made legally binding, although I'm not sufficiently
knowledgable about the relevant law to know how that can be put into
practice.
[snip]
More information about the specs
mailing list