[OpenID] Can one use Generic OpenIds

Peter (pt) Sefton pt at ptsefton.com
Wed May 23 03:05:04 UTC 2007 

Thanks all,

If I understand correctly, I could use OpenId I suggested, but it may be
better to do it using attributes, for reasons covered in this thread.

So, if there is an attribute exchange mechanism, why do I need to have a
unique URL for my ID?

For example, I may visit a university and want to use some service
anonymously, why can't I use a generic ID like http://openid.myuni.edu.au/,
and when I log in at myuni select how much info I want to share? Another day
I might choose to use a service that requires myuni to pass my name and my
favourite movies (to use the example in the spec).

If users are logging in on different days with different attributes for
different services, then surely the ID is no just the initial URL, it is a
combination of that plus attributes? Or am I missing something?


Peter

On 5/23/07, David Fuelling <sappenin at gmail.com> wrote:
>
> Simon,
>
> First off, I agree with others on the list that the Sun use of inferring
> attribute data is different than what Peter Sefton initially asked about.
> Even so, (for the record), I'm not rock-solid against what you're
> advocating, but a few good arguments in favor of not using the OpenIditself to indicate profile/attribute information are as follows:
>
> 1.) Inferring attribute data from an OpenId is IMHO an "anti-Best
> Practice" for an *OP* because it ties the hands of an OP (if the OP desires
> to not lose credibility in the marketplace later on).  From P. Windley,
> "What if Sun decides to open it up to everyone next year and in the
> meantime, systems have been deployed assuming that only Sun employees are
> entitled to these identifiers?".  Arguably, Sun won't be able to become a
> generic OP without upsetting a lot of RPs (assuming RP's actually deploy
> code that interfaces with Sun OpenIds in this way).
>
> 2.) Inferring attribute data from an OpenId is IMHO an "anti-Best
> Practice" for an *RP*, since an OP might change it's policies without
> notifying every RP.  How will a given RP know if Sun decides to relax is
> policies concerning "Sun OpenIds are only used by Sun Employees"?  This
> could create security headaches depending on what is inferred by a given
> OpenId.
>
> 3.) The attribute inferences are way too subjective.
> What exactly is a "Sun Employee", anyway?  For example, are sun
> contractors considered employees?  I suppose the definition will be set by
> Sun somewhere, but it's not scalable for everybody to be defining their own
> attribute data in this fashion, unless there is a common way to translate
> what this attribute data *means* (AX is trying to do something like this).
> Without such standardization, how will RP's and OP's know which attribute
> info to infer from a given openid?
>
>
> On 5/22/07, Simon Willison < simon at simonwillison.net> wrote:
> >
> > On 5/22/07, David Fuelling <sappenin at gmail.com> wrote:
> > > Only a few weeks ago, when Sun announced that all of their employees
> > would
> > > have OpenId's (and by proxy, all of these employees could identifi
> > > themselves as sun employees using these ids) there was a lot of
> > discussion
> > > (around the web) relating to why this is a bad idea.
> >
> > I'd really like to see some URLs for this - as far as I was aware the
> > only public negative commentary was here - and even that wasn't very
> > strongly worded:
> > http://www.windley.com/archives/2007/05/sun_supports_openid_and_opens_the_question_of_reputation.shtml
> >
> >
> > As someone who is a big proponent of the idea of OpenIDs from
> > different providers  meaning different things I would be very
> > interested in hearing the arguments against.
> >
> > Cheers,
> >
> > Simon
> >
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>


-- 

Peter Sefton
Senior Research Fellow / RUBRIC Technical Manager
RUBRIC Project, DeC
University of Southern Queensland
Toowoomba Queensland 4350 AUSTRALIA


Work: sefton at usq.edu.au
Private: pt at ptsefton.com

p: +61 (0)7 4631 1640
m: +61 (0)410 326 955

RUBRIC Website: http://www.rubric.edu.au
USQ Website: http://www.usq.edu.au
Personal Website: http://ptsefton.com

RUBRIC is supported by the Systemic Infrastructure Initiative as part of
the Commonwealth Government's Backing Australia's Ability - An
Innovative Action Plan for the Future
(http://backingaus.innovation.gov.au)

The University of Southern Queensland is a registered provider of
education with the Australian Government.

(CRICOS Codes: QLD 00244B | NSW 02225M | VIC 02387D | WA 02521C)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070523/27070069/attachment-0002.htm>

More information about the general mailing list