[OpenID] A selector for OpenID

Peter Watkins peterw at tux.org
Mon Apr 21 14:41:43 UTC 2008 

On Sun, Apr 20, 2008 at 08:37:50PM -0700, Grant Monroe wrote:
> 
> One technical reason why the ID Selector is centralized is because the
> ID Selector will auto-fill forms on sites a user has never visited. If
> you've visited one RP using the ID Selector, your openid will be
> auto-filled when you visit any other new RP (provided that the new RP
> is using the ID Selector).

That makes sense, but raises another privacy issue -- it seems likely 
that code from the RP could detect this autocompletion and learn more
than the user wanted to disclose. I have a number of different OpenID
URLs, and I might not want one RP seeing the identifier I claimed on
another RP. You should give users the option of disabling this, and you
should consider remembering the last identifier claimed per RP -- if
I used my AIM screenname when I visited Site X last week, that's the
identifier I'll probably use again today; Site X does not need to know
the Blogger identity I used at Site Y yesterday. 

Even if Site X didn't try to capture that data, I might be spooked that 
Site X displayed my Site Y identity and therefore *appeared* to know it. 
What happens when an activist visits the FBI site and sees it autocomplete 
to whistleblower.blogger.com or some such? I'm thinking about some slides 
from a presentation that, IIRC, David R gave a long time ago about the 
value of users having different nyms in different contexts. "New site" 
autocomplete threatens David's multiple-nym model in both appearance
and fact. With RP-hosted code you could trivially get intelligent 
per-RP autocompletion that didn't have that drawback.

And it doesn't need to be either-or. I believe there could be "Save" and 
"Lookup" buttons in RP-hosted code that would use simple DOM tricks to
pass info to/from idselector via pixel shims & querystrings so the 
activist could click Lookup on the FBI site if she really wanted to 
autofill the OpenID identity she last used online. But absent a click on 
Lookup or Save, there wouldn't be any traffic to idselector. Admittedly
worse for ease of use than always trying to autocomplete, but better 
in some other regards.

And of course there's the option of client-side code: Firefox and IE Add-Ons,
something more like the CardSpace client-side ID selector.

-Peter

More information about the general mailing list