[OpenID] [OPenID] OpenID usage figures

Steven Osborn steven.osborn at vidoop.com
Mon Oct 1 21:41:59 UTC 2007 

I am admittedly not familiar with all of the legal precations, but
there would be little way to determine if the hash was from VeriSign or
any other OP.  The RP doesn't have to (and would probably be encouraged
not to) "ping" the server in real time, so no usage pattern information
would be collected.  The site would care very little about which OP's
everyone was using,  just how many unique OpenID user's exits, and where
they are located on the globe.

I like the idea of having a "badge" of sorts that OP's could deploy
showing they support the campaign.



Peter Williams wrote:
>  
> If one looks in a X.509 cert from VeriSign, it contains a legal notice string. It gives notice (allegedly) to the RP that the RP must accept the VeriSign Relying Party Agreement, before making a using of the information in, about, or inferred from the cert. The cert also bears a copyright notice, one or more VeriSign trademarks, and is supported by general Ts&Cs that declare that the copy of the cert is the property of VeriSign (as is the record in the VeriSign Repository from which the copy was minted).
>  
> I would expect mainstream OPs to use similar controls over their WebSSO assertions. Said controls may not allow RP to disclose usage patterns - patterns of behaviour that may contravene the very privacy pledges the OP makes with the subscriber.The controls may be on the association messages, asserting governance of the RP, or on the id_res messages.
>  
> A subscriber will normally have a choice of OP, and may specifically choose to use an OP that does not apply relying party agreement controls which constrain how an RP shall behave. The Foundation can have icon reserved for OP that participate in its marketing campaign. It should be different to that used for general OpenID compliance.
>  
> ________________________________
>
> From: general-bounces at openid.net on behalf of Steven Osborn
> Sent: Mon 10/1/2007 2:00 PM
> To: general at openid.net
> Subject: Re: [OpenID] [OPenID] OpenID usage figures
>
>
>
> My Idea for this is to:
>
> 1. Create a community marketing site similar to spreadfirefox.com
> 2. Publish a public API that requires registration and API key
> 3. _RPs_  ping the API with their usage data that looks something like:
>     md5(user_id)
>     md5(email)
>     country
>     city
>     zip_code
> 4. The foundation ( or spreadopenid llc ) promises not to try to reverse
> the hashes or publish them in raw format.
> 5. The data is then filtered through google maps API's and
> graphing/reporting mechanisms.
> 6. The marketing site homepage ranks RP's based on how many logins they
> reported from unique users.  Which gives RP's incentive and doesn't
> _force_ us to rely on IdPs publishing list, because many IdP's would not
> feel comfortable with providing this data.
>
> Of course this is only one small thing a community marketing site would
> do, but it seems like a fun start.
>
>
> p.s.
> Sorry for the direct mail Hans
>
>
> Hans Granqvist wrote:
>   
>>> The number of "usages" - I assume you mean the number of RP
>>> authentication requests - to determine that figure, you'd need
>>> information from the logs of all OpenID Providers.
>>>    
>>>       
>> How about devising a dead-simple voluntary protocol where
>> an OP (perhaps also RP) could ping, say http://openid.net/usage
>> for the sole purpose of collection of such stats?
>>
>>   GET /usage?op=example.com&event=n HTTP/1.1
>>
>> where n is an int defining the event (successful auth, sreg used, etc).
>>
>> (Can be abused, sure. /usage can check source IP to OP for obvious
>> system gaming. Maybe that's enough of deterrent.)
>>
>> Any takers? Shouldn't take more than a day or so to implement. I can
>> help if there is anyone who can host the service.
>>
>> -Hans
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>>  
>>     
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>

More information about the general mailing list