[OpenID] OpenID consumers should make it clear if they are going to publish a user's OpenID

[Johnny Bufu]

On 14-May-07, at 6:40 PM, Dave Kearns wrote:

> From: Johnny Bufu
>>
>> On 14-May-07, at 8:07 AM, Dave Kearns wrote:
>>
>>> What's the point of using different OpenID identifiers at different
>>> sites?
>>
>> So that the sites (RPs) do not correlate your identities.
>>
>
> But the RPs have no knowledge of which other RPs anyone is going  
> to, do
> they? (Except, of course, for information passed outside the OpenID
> transaction).

They may have if, for example, the RPs make the identifiers of the  
users public.

> The OP would be able to do this correlation, of course, but unless  
> I used
> different OPs for each OpenID this is always going to be possible.

The users trust their OP; they don't need to defend against the OP  
correlating their actions.

> So, again, where's the benefit? Without some sort of simplified signon
> capability there's little to no benefit to the user over simple
> username/password combinations.

I believe there is - with directed identity the users get all the  
other benefits OpenID offers, without the RPs being able to correlate  
them.


Johnny