Discovery of an OpenID session at an OP

John Panzer jpanzer at google.com
Mon Dec 14 19:32:40 UTC 2009 

On Mon, Dec 14, 2009 at 11:21 AM, Peter Watkins <peterw at tux.org> wrote:

> On Mon, Dec 14, 2009 at 09:48:54AM +0100, Chris Obdam wrote:
>
> > I think there a no real privacy issues with this idea? Ok, you know from
> this anonymous user that he or she has an OpenID with XXX, but is that a bad
> thing?
>
> Yes, it is a bad thing.
>
> 1) Privacy. I want to be in control of what information RPs have about
> me. I see how you think it wouldn't be a big deal for someone to see that
> I'm logged in to Google and Flickr -- what does that really say about me,
> you think? Nothing, right? But imagine a group of ideologically simliar
> groups deciding to implement RP+OP to make it easier for like-minded
> individuals to use all their sites without relying on some mega-OP? I
> don't want the data-hungry folks at Facebook noticing that I'm logged
> in to the Greenpeace or National Rifle Association unless I explicitly
> approve letting Facebook know that.
>

The OP should be able to opt-in to whatever mechanism is set up.  (Note that
even today, you may be able to use visited-link color hacks to determine
what OPs a user has recently frequented; statistically speaking you can
already get the information you're worried about.)


>
> 2) Security. A malicious site could more intelligently target victims
> if it could ascertain what sites the victim is logged into. There's no
> need to attempt some online Gmail exploit if the malicious RP can tell
> that the victim isn't logged in to Google.
>

Again, per above, I think this information is probably already available to
evil.org, at least statistically speaking.


>
> I would hope that
>
> A) OPs would give each user control over whether this discovery was enabled
> for his account (and possibly to whom it was available).
>
> B) Any spec describing this would note that the OP SHOULD give each user
> the ability to disable this feature for their account and that the default
> for new users SHOULD be to not provide this information.
>
> BTW, this sounds a lot like what Luke Shepard of Facebook described wanting
> to add to checkid_immediate:
>  http://www.sociallipstick.com/2009/04/?y%/lets-detect-logged-in-state/
>  http://lists.openid.net/pipermail/openid-general/2009-May/018232.html
>
> -Peter
>
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20091214/0632d95c/attachment.htm>

More information about the specs mailing list