[OpenID] Can one use Generic OpenIds
David Fuelling
sappenin at gmail.com
Tue May 22 23:19:41 UTC 2007
Simon,
First off, I agree with others on the list that the Sun use of inferring
attribute data is different than what Peter Sefton initially asked about.
Even so, (for the record), I'm not rock-solid against what you're
advocating, but a few good arguments in favor of not using the OpenId itself
to indicate profile/attribute information are as follows:
1.) Inferring attribute data from an OpenId is IMHO an "anti-Best Practice"
for an *OP* because it ties the hands of an OP (if the OP desires to not
lose credibility in the marketplace later on). From P. Windley, "What if
Sun decides to open it up to everyone next year and in the meantime, systems
have been deployed assuming that only Sun employees are entitled to these
identifiers?". Arguably, Sun won't be able to become a generic OP without
upsetting a lot of RPs (assuming RP's actually deploy code that interfaces
with Sun OpenIds in this way).
2.) Inferring attribute data from an OpenId is IMHO an "anti-Best Practice"
for an *RP*, since an OP might change it's policies without notifying every
RP. How will a given RP know if Sun decides to relax is policies concerning
"Sun OpenIds are only used by Sun Employees"? This could create security
headaches depending on what is inferred by a given OpenId.
3.) The attribute inferences are way too subjective.
What exactly is a "Sun Employee", anyway? For example, are sun contractors
considered employees? I suppose the definition will be set by Sun
somewhere, but it's not scalable for everybody to be defining their own
attribute data in this fashion, unless there is a common way to translate
what this attribute data *means* (AX is trying to do something like this).
Without such standardization, how will RP's and OP's know which attribute
info to infer from a given openid?
On 5/22/07, Simon Willison < simon at simonwillison.net> wrote:
>
> On 5/22/07, David Fuelling <sappenin at gmail.com> wrote:
> > Only a few weeks ago, when Sun announced that all of their employees
> would
> > have OpenId's (and by proxy, all of these employees could identifi
> > themselves as sun employees using these ids) there was a lot of
> discussion
> > (around the web) relating to why this is a bad idea.
>
> I'd really like to see some URLs for this - as far as I was aware the
> only public negative commentary was here - and even that wasn't very
> strongly worded:
> http://www.windley.com/archives/2007/05/sun_supports_openid_and_opens_the_question_of_reputation.shtml
>
>
> As someone who is a big proponent of the idea of OpenIDs from
> different providers meaning different things I would be very
> interested in hearing the arguments against.
>
> Cheers,
>
> Simon
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070522/5c8ced95/attachment-0002.htm>
More information about the general
mailing list