[OpenID] [OPenID] OpenID usage figures

Peter Williams pwilliams at rapattoni.com
Mon Oct 1 21:13:54 UTC 2007 

 
If one looks in a X.509 cert from VeriSign, it contains a legal notice string. It gives notice (allegedly) to the RP that the RP must accept the VeriSign Relying Party Agreement, before making a using of the information in, about, or inferred from the cert. The cert also bears a copyright notice, one or more VeriSign trademarks, and is supported by general Ts&Cs that declare that the copy of the cert is the property of VeriSign (as is the record in the VeriSign Repository from which the copy was minted).
 
I would expect mainstream OPs to use similar controls over their WebSSO assertions. Said controls may not allow RP to disclose usage patterns - patterns of behaviour that may contravene the very privacy pledges the OP makes with the subscriber.The controls may be on the association messages, asserting governance of the RP, or on the id_res messages.
 
A subscriber will normally have a choice of OP, and may specifically choose to use an OP that does not apply relying party agreement controls which constrain how an RP shall behave. The Foundation can have icon reserved for OP that participate in its marketing campaign. It should be different to that used for general OpenID compliance.
 
________________________________

From: general-bounces at openid.net on behalf of Steven Osborn
Sent: Mon 10/1/2007 2:00 PM
To: general at openid.net
Subject: Re: [OpenID] [OPenID] OpenID usage figures



My Idea for this is to:

1. Create a community marketing site similar to spreadfirefox.com
2. Publish a public API that requires registration and API key
3. _RPs_  ping the API with their usage data that looks something like:
    md5(user_id)
    md5(email)
    country
    city
    zip_code
4. The foundation ( or spreadopenid llc ) promises not to try to reverse
the hashes or publish them in raw format.
5. The data is then filtered through google maps API's and
graphing/reporting mechanisms.
6. The marketing site homepage ranks RP's based on how many logins they
reported from unique users.  Which gives RP's incentive and doesn't
_force_ us to rely on IdPs publishing list, because many IdP's would not
feel comfortable with providing this data.

Of course this is only one small thing a community marketing site would
do, but it seems like a fun start.


p.s.
Sorry for the direct mail Hans


Hans Granqvist wrote:
>> The number of "usages" - I assume you mean the number of RP
>> authentication requests - to determine that figure, you'd need
>> information from the logs of all OpenID Providers.
>>    
>
> How about devising a dead-simple voluntary protocol where
> an OP (perhaps also RP) could ping, say http://openid.net/usage
> for the sole purpose of collection of such stats?
>
>   GET /usage?op=example.com&event=n HTTP/1.1
>
> where n is an int defining the event (successful auth, sreg used, etc).
>
> (Can be abused, sure. /usage can check source IP to OP for obvious
> system gaming. Maybe that's enough of deterrent.)
>
> Any takers? Shouldn't take more than a day or so to implement. I can
> help if there is anyone who can host the service.
>
> -Hans
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>  


_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list