[OpenID] OpenID and SSO

Dick Hardt dick at sxip.com
Wed Jul 2 16:18:37 UTC 2008 

I'm unclear now on where this thread is going ... :)

fwiw: my point was that providing the user  something to click rather  
then type is more desirable -- and propose that for OpenID, letting  
the user cick something to login is a desirable end goal

wrt. below, implicit in a "Click to proceed" is telling the site that  
you are a specific entity -- so you effectively have signed on.

-- Dick

On 2-Jul-08, at 12:58 AM, Leon Kuunders wrote:

> Think about IP addresses: are they personal information? If so, and
> following the train of thought mentioned by Dick, a user would not be
> able to choose to share information without sharing this information.
>
>
> So I guess this discussion comes down to the difference between  
> logging
> in (offer credentials) and profiling (offer personal information).
> These two can, but do not have to be, the same: credentials are not
> necessary personal information.
>
>
> "Click to proceed" would result in "profiling", not "authentication",
> so  SSO can be invisible to the user.
>
>
> my 2$, --Leon.
>
>
>
> Dick Hardt wrote:
>
>> I think the contractual and privacy issues will require a click to
>> login. EU and Canadian privacy laws require the user to have  
>> consented
>> to acquiring personal information. Similar to the EULA licenses users
>> have to actively  do something with.
>>
>> Since it is impossible to know how the user truly arrived at a page,
>> and users can arrive at a page without having actively chose to, the
>> site needs the user to actively do something to acknowledge they want
>> to share information and  not be pseudonymous.
>>
>> On 1-Jul-08, at 1:47 AM, SitG Admin wrote:
>>
>>>> Users do not want to login. Really, they don't.
>>>>
>>>> Therefore you can measure the success of SSO by counting the
>>>> dissapearing
>>>> login "buttons" or "links" on websites who do offer user centric
>>>> (profiling)
>>>> services.
>>>
>>> A vital question here, then, is whether the user values privacy
>>> enough to forgo this level of convenience. Short of opting to
>>> automatically grant all RP requests (and never prompt user for
>>> re-authentication to the OP - it can still expire, just don't bother
>>> the *user* with renewing it), there is no way to "intelligently"
>>> practice selective login for the user.
>>>
>>>> "Click to proceed", yes,
>>>
>>> There shouldn't even be that, though. Just go to the site and see  
>>> the
>>> page. No matter how much you abstract the process of authenticating,
>>> if they have to take steps to have the service recognize them then
>>> it's a login.
>>>
>>> -Shade
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>
>>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

More information about the general mailing list