concerns about each user having a unique "URL"
Ryan Barrett
openid at ryanb.org
Fri Nov 3 07:42:57 UTC 2006
these are definitely worthwhile issues, but to be fair, they're also issues
with most existing web authentication systems. for example, usernames and
passwords 1) are regularly forgotten, 2) are the same across relying parties
for single-sign-on systems, and 3) are often based on names.
to be sure, it would be good to address them. however, openid is already
tackling a tough challenge: truly distributed, federated authentication.
it won't necessarily fail just because it doesn't solve other problems as
well. what's more, it might address those problems in the longer term.
having said that...
On Thu, 2 Nov 2006, Peter Watkins wrote:
> 2) privacy: if plumber Rob Smith tells every OpenID relying party that he's
> "rsmith38.id.plumbers.co", all the relying parties know they're talking
> about the same exact user. It's the whole Passport GUID mess all over
this might be allayed by IdPs that allow their users to obfuscate their ID
URLs. similar to the way many email providers ignore everything after a plus
sign, an IdP could e.g. ignore the path of the ID URL, which users could use
to provide unique URLs to RPs. for example:
rsmith38.id.plumbers.co/claimid
rsmith38.id.plumbers.co/shopping/amazon
rsmith38.id.plumbers.co/paypal?transactionid=123456
the pattern is easy to detect with human eyes, but if different IdPs allow
different forms of obfuscation, RPs at least won't be able to invade privacy
with bulk data mining.
> Additionally, I don't think we're ready to offer each plumber his own web
> site. While the OpenID presentations I've read talk about users
> "understanding" URLs, I think those presentations understimate the
> likelihood that OpenID users will expect that "having a unique URL" means
> having a human-usable web site.
this is a good point. you don't need separate, fully functional web space for
each user, though. when the IdP receives an HTTP GET on an OpenID endpoint, it
could serve a standard placeholder page that says "this is the OpenID web page
for rsmith38." each user then does have their own web page. it's only a
placeholder, but at least it prevents any possible confusion.
-Ryan
--
http://snarfed.org/
More information about the general
mailing list