[OpenID] OpenID consumers should make it clear if they are going to publish a user's OpenID

Chris Messina chris.messina at gmail.com
Sun May 13 00:47:34 UTC 2007 

While I would agree in principal with this suggestion, I'm not sure if
it's realistic and whether it might provide a false sense of
security... I do think Simon's right on with pointing out realities of
cross-site correlation, but since you can log into a site with only an
OpenID, the question becomes -- with what do you identify a user if
they choose to conceal their OpenID? Would you use something like
'anon351' until they chose some other value? Or would you force them
to pick an arbitrary nickname, and would that nickname need be unique?
(Somewhat nullifying the value of using an OpenID as your unique
identifier).

To make this better grounded in reality, both Pibb and stuckUnstuck
use your OpenID url as your public identifier w/o asking. But, with
Pibb you can set a non-unique nickname whereas in stuckUnstuck, we
allow you to claim your Twitter account and to avoid namespace
collisions, only use Twiiter accountnames as your nickname.

Finally, we used a normalized OpenID url as your URL identifier until
you claim your root permalink:

http://stuckunstuck.com/openid.claimid.comsplorp
http://stuckunstuck.com/openid.claimid.comsplorp/statuses/69

If we follow Simon's proposal, which I don't think is a bad one, how
would you recommend handling identifying users if you were to make
revealing an OpenID optional? What would you recommend:

a) when giving credit ("this comment posted by [foo]")
b) when creating permalink profile urls ("http://foo.com/users/[bar]")

Thoughts?

Chris


On 5/12/07, Dick Hardt <dick at sxip.com> wrote:
> I think this is a great addition to RP Best Practices. Perhaps you
> would like to add it to the wiki Simon?
>
> Forward thinking on protocol direction, I envision that the terms and
> conditions under which the user is releasing their data is included
> in the request from the RP. The T&C are programatically accessible so
> that your OP can contrast the T&C with your personal settings and
> alert you only of the exceptions. Public disclosure of OpenID would
> be one of those T&C.
>
> -- Dick
>
> On 12-May-07, at 1:32 PM, Simon Willison wrote:
>
> > One of the benefits of OpenID is that it lets accounts on different
> > sites be linked together. This has plenty of exciting implications,
> > but also introduces new privacy concerns. If a site publishes a user's
> > OpenID anywhere it is enabling cross-site correlation whether or not
> > the user (or site) wants it to happen.
> >
> > OpenID consumer/relying party best practices should include the
> > recommendation that sites make it clear to a user if their OpenID will
> > be publically exposed. Exposing OpenIDs should be avoided if not
> > necessary for the purpose of the site (as is the case with Jyte or
> > blog comment signing), or at the very least made "opt-in" so users can
> > decide if they want their OpenID exposed or not.
> >
> > Does that sound sensible?
> >
> > Cheers,
> >
> > Simon
> > _______________________________________________
> > general mailing list
> > general at openid.net
> > http://openid.net/mailman/listinfo/general
> >
> >
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>


-- 
Chris Messina
Citizen Provocateur &
  Open Source Advocate-at-Large
Work: http://citizenagency.com
Blog: http://factoryjoe.com/blog
Cell: 412 225-1051
Skype: factoryjoe
This email is:   [ ] bloggable    [X] ask first   [ ] private

More information about the general mailing list