[OpenID] OpenID consumers should make it clear if they are going to publish a user's OpenID
Chris Messina
chris.messina at gmail.com
Mon May 14 18:40:02 UTC 2007
On 5/14/07, Jonathan Daugherty <cygnus at janrain.com> wrote:
> # If you don't want to be correlated, use a different OpenId.
>
> If the user has to manage those identifiers, then that approach
> *doesn't scale*. I'm eagerly awaiting OpenID 2 IDP-driven identifier
> selection, so my IDP can manage them for me.
Some of this seems to come down to interface -- both the revealing of
a URL on an RP that can correlated (primarily because it's text)
across sites -- and on the user side.
If we were to move to an interface more like CardSpace, this issue, I
would think, would be somewhat diminished -- since you'd have already
entered in your iDP(s) and then would be selecting from the list of
identities that you've already setup. Additionally, and this is an
interesting aspect of this discussion, when the user is not entering a
URL to represent themselves but instead a graphic, it would not follow
that their OpenID URL would show up in the system at that point, but
rather some graphic identifier... which, owing to its binary form,
would be harder to cross-correlate across sites from the
machine-level.
Anyway, I just wanted to throw out the possibility that, from the
user's perspective, you won't always be authenticating with text...
and therefore, if you reveal their OpenID URL on the site, you might
end up causing more confusion anyway.
Thoughts on how this does or doesn't change things?
Chris
--
Chris Messina
Citizen Provocateur &
Open Source Advocate-at-Large
Work: http://citizenagency.com
Blog: http://factoryjoe.com/blog
Cell: 412 225-1051
Skype: factoryjoe
This email is: [ ] bloggable [X] ask first [ ] private
More information about the general
mailing list