[Code] Directed identity and unique identifier

[Andrew Arnott]

On Sat, Feb 13, 2010 at 2:29 PM, Tommi Laukkanen <
tommi.s.e.laukkanen at gmail.com> wrote:

> Hi
>
> Thank you this is valuable information. Clarifying questions:
>
> Do you mean by protecting users identity that users should stay anonymous?
> Google directed identity provides users email to the relying party so the
> mechanism does not provide anonymity always.
>

Certainly Google *can *provide email addresses if the user agrees to it, and
this does defeat anonymity.  That's true.  But not all RPs request email
address, and the user doesn't have to agree to it.


> Personally I have seen directed identity valuable from usability
> perspective as it provides easy way to sign in as you do not need to be copy
> pasting your personal openid url.
>
> I thought OpenId provides users globally unique indisputable id (url) and
> not just a way to avoid multiple passwords?
>

I think you may be confusing "directed identity" with "identifier select".
 Directed identity is enabled by identifier select.  Identifier Select is in
the OpenID spec, and allows the user to either type "yahoo.com" or click a
Yahoo! button (for example) and log into the OP and have the OP send the
identifier (url) to the RP.  The identifier the OP sends may be the user's
universally recognized identifier, or it may be a pairwise-unique identifier
that binds that user to just that one RP which prevents the RP from
correlating the user data with other RPs.  The latter pairwise-unique
identifier scenairo is called "directed identity".  Yahoo supported
identifier select, but not directed identity.  Google supports identifier
select, and only offers directed identity.  Unless you're using Google
Profiles, in which case you can have that recognizable URL for the user
again that is shared across RPs.

Hope that's helpful.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-code/attachments/20100213/c6043856/attachment.htm>