concerns about each user having a unique "URL"

Peter Watkins peterw at tux.org
Wed Nov 8 15:53:06 UTC 2006 

Kevin Turner wrote:
> On Thu, 2006-11-02 at 17:31 -0500, Peter Watkins wrote:
>> Also, while the obvious user identifier would be something like 
>>   username + "id." + domain name ("plumbers.co")
>> For years we have allowed characters in the username field that are
>> not compatible with RFC 952,
> 
> Can you side-step this by putting the username in the path component,
> i.e. "id.plumbers.co/Patrick O'Rourke"?

Not really -- see my points about password-less authentication and name
changes. Many of our users authenticate without usernames; others change
names after marriage, divorce, etc. Our only good unique identifier is,
well, the "Plumber Identification Number", which is a 10-15 digit number
that nobody should ever have to remember, much less type. Even if they
did remember their PIN unique identifier, I don't want my users having
to disclose their PIN to log in for privacy reasons. If a member wants
to participate in some discussion forum about bathtub repair, it should
suffice that our IdP is willing to assert that he's a licensed plumber
with first name "Rob" or some such. If a Service Provider wants to
required the GUID (which for us would probably be the PIN, or some
unique-per-user derivative of the PIN) for one of our users, our OpenID
IdP interface should let the user decide if that was acceptable.

I don't quite understand this about OpenID -- the materials illustrate
some sort of user choice, but since all OpenID assertions use the same
constant-per-user claimed identifier, the net effect of giving different
pieces of info to different parties is that Service Providers, since
they all see the same claimed identifier for a given individual, could
collude to reconstruct more complete assertion sets than the user would
ever disclose to a single Service Provider.

-Peter



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061108/38191286/attachment-0002.pgp>

More information about the general mailing list