[OpenID] OpenID consumers should make it clear if they are going to publish a user's OpenID
Eric Norman
ejnorman at doit.wisc.edu
Sun May 13 01:42:56 UTC 2007
On May 12, 2007, at 2:32 PM, Simon Willison wrote:
> One of the benefits of OpenID is that it lets accounts on different
> sites be linked together. This has plenty of exciting implications,
> but also introduces new privacy concerns. If a site publishes a user's
> OpenID anywhere it is enabling cross-site correlation whether or not
> the user (or site) wants it to happen.
>
> OpenID consumer/relying party best practices should include the
> recommendation that sites make it clear to a user if their OpenID will
> be publically exposed. Exposing OpenIDs should be avoided if not
> necessary for the purpose of the site (as is the case with Jyte or
> blog comment signing), or at the very least made "opt-in" so users can
> decide if they want their OpenID exposed or not.
>
> Does that sound sensible?
Some folks don't think that public exposure of someone's
identifier addresses the real privacy concern. They think
that it's the ability of different sites to link personal
information without the user's awareness or consent and
that can happen regardless of whether the identifier is
exposed to the public or not.
Isn't this what the Liberty Alliance is about?
Eric Norman
More information about the general
mailing list