[OpenID] OpenID and SSO

Peter Williams pwilliams at rapattoni.com
Wed Jul 2 17:46:59 UTC 2008 

Its establishing that sso des not preclude one being invited or required to confirm the release of the cached web credentials to an rp,busing some ui step.

Its very nice that windows sends your credentials automatically to the lan printer also on the domain, so you don't have to provide your pasword again merely to print. But, this is the only model of sso, and websso in particular.

-----Original Message-----
From: Dick Hardt <dick at sxip.com>
Sent: Wednesday, July 02, 2008 9:18 AM
To: leon at kuunders.info <leon at kuunders.info>
Cc: general at openid.net <general at openid.net>
Subject: Re: [OpenID] OpenID and SSO


I'm unclear now on where this thread is going ... :)

fwiw: my point was that providing the user  something to click rather
then type is more desirable -- and propose that for OpenID, letting
the user cick something to login is a desirable end goal

wrt. below, implicit in a "Click to proceed" is telling the site that
you are a specific entity -- so you effectively have signed on.

-- Dick

On 2-Jul-08, at 12:58 AM, Leon Kuunders wrote:

> Think about IP addresses: are they personal information? If so, and
> following the train of thought mentioned by Dick, a user would not be
> able to choose to share information without sharing this information.
>
>
> So I guess this discussion comes down to the difference between
> logging
> in (offer credentials) and profiling (offer personal information).
> These two can, but do not have to be, the same: credentials are not
> necessary personal information.
>
>
> "Click to proceed" would result in "profiling", not "authentication",
> so  SSO can be invisible to the user.
>
>
> my 2$, --Leon.
>
>
>
> Dick Hardt wrote:
>
>> I think the contractual and privacy issues will require a click to
>> login. EU and Canadian privacy laws require the user to have
>> consented
>> to acquiring personal information. Similar to the EULA licenses users
>> have to actively  do something with.
>>
>> Since it is impossible to know how the user truly arrived at a page,
>> and users can arrive at a page without having actively chose to, the
>> site needs the user to actively do something to acknowledge they want
>> to share information and  not be pseudonymous.
>>
>> On 1-Jul-08, at 1:47 AM, SitG Admin wrote:
>>
>>>> Users do not want to login. Really, they don't.
>>>>
>>>> Therefore you can measure the success of SSO by counting the
>>>> dissapearing
>>>> login "buttons" or "links" on websites who do offer user centric
>>>> (profiling)
>>>> services.
>>>
>>> A vital question here, then, is whether the user values privacy
>>> enough to forgo this level of convenience. Short of opting to
>>> automatically grant all RP requests (and never prompt user for
>>> re-authentication to the OP - it can still expire, just don't bother
>>> the *user* with renewing it), there is no way to "intelligently"
>>> practice selective login for the user.
>>>
>>>> "Click to proceed", yes,
>>>
>>> There shouldn't even be that, though. Just go to the site and see
>>> the
>>> page. No matter how much you abstract the process of authenticating,
>>> if they have to take steps to have the service recognize them then
>>> it's a login.
>>>
>>> -Shade
>>> _______________________________________________
>>> general mailing list
>>> general at openid.net
>>> http://openid.net/mailman/listinfo/general
>>
>>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list