[OpenID] Correlating Identifiers
Eric Sachs
esachs at google.com
Thu Nov 6 02:04:14 UTC 2008
>> I believe that Google is returning unique identifiers for each RP that
the user signs into, which is different than Yahoo's implementation.
However, Google is sharing the user's email address which arguably is better
suited for identity consolidation/correlation compared to an OpenID URL.
Allen is correct. Our new OpenID IDP returns identifiers that are unique
per RP. However our Blogger IDP still returns the same URL to each RP, i.e.
the URL of the person's blog.
On Wed, Nov 5, 2008 at 5:06 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> Hi Nate -
>
> By default, Yahoo users get a single machine generated OpenID identifier
> which is used at all RPs that the user signs into. Because the identifier is
> not unique to the RP, the user can be identified across multiple sites.
>
> Prior to launching our OpenID service, Yahoo's policy with our proprietary
> SSO service was to issue RP-specific identifiers to prevent RPs from sharing
> data about the user and correlating user behavior across different sites.
>
> Based on our discussions with the OpenID community, we concluded that the
> spirit of OpenID is to allow a user to reuse the same identity across the
> net, which implied that we should not vary the identifier that is returned
> to RPs. We believe that there is value in having an identifier with a
> reputation attached to it, and that in the future, RPs may be able to take
> the user's reputation into account to optimize the content and services
> given to first time visitors.
>
> I believe that Google is returning unique identifiers for each RP that the
> user signs into, which is different than Yahoo's implementation. However,
> Google is sharing the user's email address which arguably is better suited
> for identity consolidation/correlation compared to an OpenID URL.
>
> Allen
>
>
> Nate Klingenstein wrote:
>
> Nat,
> I agree, and I'm glad you highlighted this. Privacy also pertains
> strongly to other attributes. I think consistent use of AX as a transport
> protocol makes it much easier for sites to give proper privacy options to
> users.
>
> Separately, persistent opaque identifiers are a really good thing,
> especially when unique to a particular RP/SP. When Yahoo first made the
> decision to use them as the default in their implementation, I was worried
> that most of their applications, users, and developers would be baffled, and
> didn't know why they weren't targeted. I wonder if Allen has any new words
> of wisdom to share now that he has experience with them in practice.
>
> Take care,
> Nate.
>
> Now, IMHO, privacy advocates have much to say on this: correlations.
> So, we should tread carefully in this area, though.
>
>
> ------------------------------
> _______________________________________________
> general mailing listgeneral at openid.nethttp://openid.net/mailman/listinfo/general
>
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20081105/6946bb69/attachment-0002.htm>
More information about the general
mailing list