SREG's Privacy Policy URL

John Bradley jbradley at mac.com
Tue Jun 2 18:35:37 UTC 2009


The XRDS discovery spec is defined by the XRI 2.0 spec as profiled by  
Yadis.

There is a new discovery spec that converges XRDS Simple as used in  
oAuth,  Yadis and XRI.

That is the XRD 1.0 spec currently under development in the XRI TC at  
OASIS.

There will need to be a profile of the discovery spec as part of  
openID 2.1 if that is desired.

Google, Yahoo and others are contributing the XRD spec.

There are references in openID 2.0 and the extensions on what needs to  
go in to a XRDS,  but there is no comprehensive profile of XRDS  for  
openID that defines where new Services or extension elements are added.

I agree that communicating RP TOS and Privacy via RP Discovery is a  
likely candidate.

The CX (contract exchange) workgroup is also looking at some of the  
same issues where those policies need to be signed by the user.

I know that is a requirement in Europe for accessing government sites,  
from my conversations with the people from the STORK initiative.
http://www.eid-stork.eu/

We may need lightweight  policy display and the more heavyweight  
signing ability that CX brings to the table to work across all the use  
cases from different jurisdictions.

John B.

On 2-Jun-09, at 1:56 PM, specs-request at openid.net wrote:

> Date: Tue, 02 Jun 2009 10:55:55 -0700
> From: Allen Tom <atom at yahoo-inc.com>
> Subject: Re: SREG's Privacy Policy URL
> To: Luke Shepard <lshepard at facebook.com>, "specs at openid.net"
> 	<specs at openid.net>
> Message-ID: <4A2567AB.10606 at yahoo-inc.com>
> Content-Type: multipart/alternative;
> 	boundary="------------060606030309050004000507"
>
> This is a multi-part message in MIME format.
> --------------060606030309050004000507
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: 7bit
>
> Hi Luke,
>
> Yes, this is what we're looking for. Currently, in OpenID, the only  
> way
> for the RP to link to its privacy policy (which is sort of like  
> linking
> to its ToS) is by passing it in the openid.sreg.policy_url parameter
> using SREG.
>
> Since we're trying to deprecate SREG, we can try to move this  
> parameter
> to either the UI or AX Extension, or move it into Discovery.
>
> Is there an actual Discovery spec?
>
> Allen
>
>
> Luke Shepard wrote:
>> FWIW, Facebook Connect allows relying parties to define a "terms of
>> service" url. We then show that link to users when they click on it.
>> With OpenID, the equivalent URL would be set using relying party
>> discovery. Is this more or less what you're looking for?
>>
>> Screenshot:
>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090602/c93d675b/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1722 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20090602/c93d675b/attachment-0002.bin>


More information about the specs mailing list