[OpenID] OpenID consumers should make it clear if they are going to publish a user's OpenID

[Dick Hardt]

I think this is a great addition to RP Best Practices. Perhaps you  
would like to add it to the wiki Simon?

Forward thinking on protocol direction, I envision that the terms and  
conditions under which the user is releasing their data is included  
in the request from the RP. The T&C are programatically accessible so  
that your OP can contrast the T&C with your personal settings and  
alert you only of the exceptions. Public disclosure of OpenID would  
be one of those T&C.

-- Dick

On 12-May-07, at 1:32 PM, Simon Willison wrote:

> One of the benefits of OpenID is that it lets accounts on different
> sites be linked together. This has plenty of exciting implications,
> but also introduces new privacy concerns. If a site publishes a user's
> OpenID anywhere it is enabling cross-site correlation whether or not
> the user (or site) wants it to happen.
>
> OpenID consumer/relying party best practices should include the
> recommendation that sites make it clear to a user if their OpenID will
> be publically exposed. Exposing OpenIDs should be avoided if not
> necessary for the purpose of the site (as is the case with Jyte or
> blog comment signing), or at the very least made "opt-in" so users can
> decide if they want their OpenID exposed or not.
>
> Does that sound sensible?
>
> Cheers,
>
> Simon
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>