[OpenID] Consumers storing data against an OpenID

[Nate Klingenstein]

Peter,

> Once I have account linked to a plaxo account (as introduced by an  
> openid positive assertion), I have no expectation personally that  
> the OP is further involved in those matters of contractual privity  
> between me and plaxo. Sorry, OpenID OP: you are not a PKI style  
> governance model controlling "use" of the identity and associated  
> attributes by the relying party. This is especially true in the  
> account linking model that almost all the major RPs use (which  
> contrasts with Nate's Shibboleth SSO model, incidentally).

It contrasts with our major prevailing *trust* model, where we do  
indeed recommend that SP's discard of all attributes they've received  
once they no longer need them.  This is to prevent duplication of  
data, which leads to stale information, confusion over who's  
authoritative within an organization, and many points at which user  
privacy can leak out.  There've been enough articles about "6 million  
yaddity numbers lost by blah" that nobody wants to headline another  
one of them.

In practice, there are a lot of applications that keep attributes for  
a long time to persist a remote representation of a user.  Our  
learning management systems and the implementation of Shibboleth in  
Microsoft DreamSpark alongside LiveID are two good examples.

I consider this an art, not a science.  Centralize all the data it  
makes sense to centralize: it needs to be commonly used and useful.   
For the rest of it, and for applications that can't use centralized  
data, keep it with the app.

Take care,
Nate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080523/1c36e584/attachment-0002.htm>