Call directed identity "anonymous login"? (was RE: concerns about each user having a unique "URL")

Sun Nov 12 19:58:59 UTC 2006

James A. Donald wrote:
> Drummond Reed wrote:
>  > The term Josh uses, "IdP-driven identifier selection",
>  > is technically accurate, but somewhat like "directed
>  > identity", I fear I it will be lost on the general
>  > public.
>  >
>  > The best candidate I can think of so far is "anonymous
>  > login", because that seems to go straight to the heart
>  > of the benefit to the End User.

I think there are a couple questions here:
 1) what to call this "directed identity" process
 2) what to call the URL that a user would enter to
    utilize such a process

I keep finding myself drawn to the second question. While the first
question is somewhat esoteric (what should the developers and sysadmins
call it), the second question is focused on user interface and
education, and I think that's the more important concern.

The best phrasing I've come up with is based on on the notion of an
"authority" ("identity provider" is too abstract and technical;
"institution", "domain" and "corporate" not quite accurate).

My answer to the second question is an "OpenID authority URL".

Users would be asked to enter either
 - an iName (=beth),
 - an "individual OpenID URL" (beth.pip.verisignlabs.com), or
 - an "OpenID authority URL" (pip.verisignlabs.com)

I think this is both more accurate than terms like "anonymous login"
(some sites like my employer's will use this not for anonymity, but to
avoid the complexities of managing individual user URLs) and
"privacy-protected login" (the RP might insist on the GUID or other
attributes that don't really preserve privacy), and easier to comprehend
(the difference between "individual" and "authority"). Instead of a URL
unique to that user, the "authority URL" identifies a party that can
vouch for the user.

The "private" vs. "public" wording seems ripe for confusion. In this
discussion, we'd probably call "pip.verisignlabs.com" the "private" URL
because it would be used when the individual wanted to choose what
information the IdP gave to the RP -- preserving some "privacy". But
"private" also implies something reserved for the individual, and
"public" implies something known or accessible to all -- gmail.com being
better known than, say, my gmail address. I find it too easy to get the
private/public identifiers reversed.

With phrasing like "OpenID authority URL" or "OpenID authority
identifier", this process might then be called something like
"authority-driven identification", but in the specs it could just as
well be called IdP-driven identification, etc.

-Peter

> Cypherpunks and the cryptonomicon discuss identity at
> considerable length.  In their terminology, it is nymous
> login.
> 
> The user can have as many nyms as he pleases, thereby
> controlling the extent to which his identity is
> revealed.  "Nym" merely means name, but the association
> with "anonymous" and "pseudonym" implies that it can
> easily be a cheap and disposable name, or a name that is
> one of a rather large number of names that cannot be
> easily linked to each other by outsiders.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20061112/80f4a4a5/attachment-0002.pgp>