[OpenID] OpenID consumers should make it clear if they are going to publish a user's OpenID
Simon Willison
simon at simonwillison.net
Sat May 12 19:32:32 UTC 2007
One of the benefits of OpenID is that it lets accounts on different
sites be linked together. This has plenty of exciting implications,
but also introduces new privacy concerns. If a site publishes a user's
OpenID anywhere it is enabling cross-site correlation whether or not
the user (or site) wants it to happen.
OpenID consumer/relying party best practices should include the
recommendation that sites make it clear to a user if their OpenID will
be publically exposed. Exposing OpenIDs should be avoided if not
necessary for the purpose of the site (as is the case with Jyte or
blog comment signing), or at the very least made "opt-in" so users can
decide if they want their OpenID exposed or not.
Does that sound sensible?
Cheers,
Simon
More information about the general
mailing list