[OpenID] OpenID consumers should make it clear if they are going to publish a user's OpenID
Evan Prodromou
evan at prodromou.name
Mon May 14 18:13:07 UTC 2007
On Sat, 2007-12-05 at 20:32 +0100, Simon Willison wrote:
> OpenID consumer/relying party best practices should include the
> recommendation that sites make it clear to a user if their OpenID will
> be publically exposed. Exposing OpenIDs should be avoided if not
> necessary for the purpose of the site (as is the case with Jyte or
> blog comment signing), or at the very least made "opt-in" so users can
> decide if they want their OpenID exposed or not.
>
> Does that sound sensible?
No, because "necessary for the purpose of the site" is too vague. Few if
any sites that require authentication don't have some sense of identity
and reputation.
For wikis, for instance, a user can provide an identity URL that links
to another well-known wiki site, where your reputation can be
ascertained using the site software. It's a big reason people on
Wikitravel like OpenID.
There are few examples where exposing an OpenID is absolutely necessary
-- neither Jyte nor blog comments _require_ exposing OpenIDs to the
public. I think it's probably a bad idea to try to arbitrate when a
global identity and reputation is important and when it is not.
All that said, I think that recommending that OpenID exposure be
optional, and that users should be informed of the default _before_
using their OpenID, is a good idea.
-Evan
--
Evan Prodromou <evan at prodromou.name>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2738 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070514/d3bc04a1/attachment-0002.bin>
More information about the general
mailing list