[OpenID] Consumers storing data against an OpenID

Peter Williams pwilliams at rapattoni.com
Fri May 23 06:15:33 UTC 2008 

Once I have account linked to a plaxo account (as introduced by an openid positive assertion), I have no expectation personally that the OP is further involved in those matters of contractual privity between me and plaxo. Sorry, OpenID OP: you are not a PKI style governance model controlling "use" of the identity and associated attributes by the relying party. This is especially true in the account linking model that almost all the major RPs use (which contrasts with Nate's Shibboleth SSO model, incidentally).
 
Now AX blurs that black and white boundary. AX is all about RPs. And AX (probably) leverages the Association one just established between OP and RP.
 
Now, RP dont manage identity attributes (thats what OPs do!) and they dont publish identity pages (like myopenid's microformatted page of attributes, that semweb crawlers can easily read and process). At most, an RP  would register its own name for the openid (sharing the account linking value) so that other RPs might similarly leverage that binding. And, by construction, the nameid registration mechanism (which openid calls AX) can be extended for any value/attribute that the RP wishes to share (with other RPs, not the OP).
 
Does the law#4 notion of OP and OpenID auth come into play when releasing such "nameid" attributes under the AX model, to RP#n? Does Law#1 come into play?
 
Not that Im aware. But Im happy to be educated on the security model. I find the whole law thing rather bogus, but at the same time... its a useful way of having semantics discussions using non-technical language.
 
_________________________
Peter Williams


________________________________

From: general-bounces at openid.net on behalf of SitG Admin
Sent: Thu 5/22/2008 8:56 PM
To: general at openid.net
Subject: Re: [OpenID] Consumers storing data against an OpenID



At 11:11 AM -0700 5/22/08, Peter Williams wrote:
>For example, if I have registered my social graph with plaxo and
>stated release policy (to plaxo's proprietary attribute syncing
>system), I may know from the terms of service that it could now be
>shared openly (via AX) with others.

Or it could be shared anyway, if your OP decides to collect
information about you and send it to certain RP's; how critical is
your acceptance of an information-release policy in such cases?

-Shade
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list