[OpenID] OpenID and SSO

Leon Kuunders leon at kuunders.info
Wed Jul 2 07:58:36 UTC 2008 

Think about IP addresses: are they personal information? If so, and 
following the train of thought mentioned by Dick, a user would not be 
able to choose to share information without sharing this information.


So I guess this discussion comes down to the difference between logging 
in (offer credentials) and profiling (offer personal information).  
These two can, but do not have to be, the same: credentials are not 
necessary personal information.


"Click to proceed" would result in "profiling", not "authentication", 
so  SSO can be invisible to the user.


my 2$, --Leon.



Dick Hardt wrote:

> I think the contractual and privacy issues will require a click to 
> login. EU and Canadian privacy laws require the user to have consented 
> to acquiring personal information. Similar to the EULA licenses users 
> have to actively  do something with.
>
> Since it is impossible to know how the user truly arrived at a page, 
> and users can arrive at a page without having actively chose to, the 
> site needs the user to actively do something to acknowledge they want 
> to share information and  not be pseudonymous.
>
> On 1-Jul-08, at 1:47 AM, SitG Admin wrote:
>
>>> Users do not want to login. Really, they don't.
>>>
>>> Therefore you can measure the success of SSO by counting the 
>>> dissapearing
>>> login "buttons" or "links" on websites who do offer user centric 
>>> (profiling)
>>> services.
>>
>> A vital question here, then, is whether the user values privacy
>> enough to forgo this level of convenience. Short of opting to
>> automatically grant all RP requests (and never prompt user for
>> re-authentication to the OP - it can still expire, just don't bother
>> the *user* with renewing it), there is no way to "intelligently"
>> practice selective login for the user.
>>
>>> "Click to proceed", yes,
>>
>> There shouldn't even be that, though. Just go to the site and see the
>> page. No matter how much you abstract the process of authenticating,
>> if they have to take steps to have the service recognize them then
>> it's a login.
>>
>> -Shade
>> _______________________________________________
>> general mailing list
>> general at openid.net
>> http://openid.net/mailman/listinfo/general
>
>

More information about the general mailing list