[OpenID] OpenID consumers should make it clear if they are going to publish a user's OpenID
Dick Hardt
dick at sxip.com
Sun May 13 22:38:37 UTC 2007
On 12-May-07, at 5:47 PM, Chris Messina wrote:
> While I would agree in principal with this suggestion, I'm not sure if
> it's realistic and whether it might provide a false sense of
> security... I do think Simon's right on with pointing out realities of
> cross-site correlation, but since you can log into a site with only an
> OpenID, the question becomes -- with what do you identify a user if
> they choose to conceal their OpenID? Would you use something like
> 'anon351' until they chose some other value? Or would you force them
> to pick an arbitrary nickname, and would that nickname need be unique?
> (Somewhat nullifying the value of using an OpenID as your unique
> identifier).
The nickname on the site only has to be unique to the site. An OpenID
by nature is globally unique.
The user would use their OpenID to log into the site, but could have
some other site specific identifier be displayed to identify them on
site content.
> <snip>
> If we follow Simon's proposal, which I don't think is a bad one, how
> would you recommend handling identifying users if you were to make
> revealing an OpenID optional? What would you recommend:
>
> a) when giving credit ("this comment posted by [foo]")
> b) when creating permalink profile urls ("http://foo.com/users/[bar]")
>
> Thoughts?
The OpenID could be used for any of these, and likely more. It is
used to identity the user on the site.
If the OpenID is exposed in the HTML, then it can be correlated to
other sites since it is globally unique.
-- Dick
More information about the general
mailing list