[OpenID] query regarding OP migration

Nate Klingenstein ndk at internet2.edu
Sat May 31 02:03:40 UTC 2008 

Mr. Shade,

I still believe deregistration of the user is beneficial to alleviate  
the other problems I mentioned resulting from stale identity  
information.  However, as you describe, in the event that site A is  
compromised or malicious, all is indeed lost unless the user is able  
to manually reconcile themselves at all their RP's.  That's generally  
a pretty unfortunate situation that should be avoided actively.

Yet another reason I think OP reputation and communities are really  
important,
Nate.

On 30 May 2008, at 23:34, SitG Admin wrote:

> I don't think there's any way to do that, *period*. If site A wants  
> to say something about the user (as identified by their URI), it  
> can. If it wants to collect details about the user, it can add that  
> data to the mix. If the user *cooperates* (say, by volunteering  
> their personal information because the program/service/game  
> "requires" that to function, or to inform them of updates, or  
> whatever), it can add that data to the mix. Most importantly,  
> though - if site A wants to, it can *make up* information about the  
> user and report this to anyone that asks.
>
> The *real* trick is in getting anyone else to *trust* what site A  
> says. As noted in Peter's message, RP's that decide "Well, the user  
> *used to* trust site A - last time we checked, anyway." to override  
> "The user is telling us NOW that they do NOT trust site A." aren't  
> following the security protocols. We can address this trust issue  
> in the specs (I thought it was already?), and laws against libel  
> may be applicable in making the site stop "saying" it (at least, so  
> outspokenly), but I don't think there's any way of making a site  
> *remove* data/details about someone. (A lot of royally pissed-off  
> trolls whose various identities were exposed and the proof posted  
> on the internet, can attest to this through their inability to have  
> that evidence removed.)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080531/f5408ba6/attachment-0002.htm>

More information about the general mailing list