Discovery of an OpenID session at an OP

Breno de Medeiros breno at google.com
Tue Dec 15 17:39:11 UTC 2009 

>>
>> I think John's point is that the mechanism to protect privacy should
>> be optionally available to OPs: There should be a rule to allow OPs to
>> push this information without user consent.
> With 'a rule' you mean, part of OpenID somewhere?
> If so, I agree.

The discovery mechanism allows OPs to push the information that they
are the user has an account with them. The privacy solution implements
some RP-based opt-in/opt-out. The point that John makes is that OPs
should not be required to implement the latter to take advantage of
the former.

>
>> John anchored this point on the fact that the information is already
>> available via DOM/JS tricks. I think that these DOM/JS tricks are not
>> difficult to be fixed on the client side so I would prefer not to make
>> arguments for how to move forward based on accidental circumstances.
>> Regardless of the justification, one could argue that OPs should not
>> be mandated to implement the privacy solution because they may know
>> better what their consumers want.
> The OP chooses for the consumer? That shouldn't be the case?

The user chose the OP initially by creating an account there. Any or
all the web sites that the user has accounts with and that operate as
OPs would be candidates to advertize themselves as 'one of the user's
OPs', though if there were a setting 'the user's preferred OP' then
clearly the user must make that choice.

>
>> That is good as it goes, but we should still make sure that the design makes it easy for RPs to
>> implement the privacy issue,
> What do you mean with privacy issue. That the consumer has a setting with the OP to expose the OpenID session or not?

I meant the privacy solution and typed 'issue' instead. See above.

>
>> because if it becomes an issue of technical complexity (as opposed to finding out what users want) and
>> there's a loophole (it's optional), then it will likely not be implemented.
> Therefor I think it should be offered by the OP. People can choose what they want to expose. If that is switch on by default is something else.

Not sure I understand your comment here.

>
>> The risk of having no privacy story is a backlash that results in the
>> baby being thrown out with the bath water.
> What do you mean with 'no privacy story?' I want the consumer to control whether my logged-state is exposed or not.
>
> Ideally, I want to be asked when registering if i want 'expose my logged-in-state'.
>

That sounds likely/reasonable.

More information about the specs mailing list