[OpenID] Correlating Identifiers
Ben Laurie
benl at google.com
Fri Nov 7 09:21:43 UTC 2008
On Thu, Nov 6, 2008 at 12:06 AM, Allen Tom <atom at yahoo-inc.com> wrote:
> Hi Nate -
>
> By default, Yahoo users get a single machine generated OpenID identifier
> which is used at all RPs that the user signs into. Because the identifier is
> not unique to the RP, the user can be identified across multiple sites.
>
> Prior to launching our OpenID service, Yahoo's policy with our proprietary
> SSO service was to issue RP-specific identifiers to prevent RPs from sharing
> data about the user and correlating user behavior across different sites.
>
> Based on our discussions with the OpenID community, we concluded that the
> spirit of OpenID is to allow a user to reuse the same identity across the
> net, which implied that we should not vary the identifier that is returned
> to RPs. We believe that there is value in having an identifier with a
> reputation attached to it, and that in the future, RPs may be able to take
> the user's reputation into account to optimize the content and services
> given to first time visitors.
>
> I believe that Google is returning unique identifiers for each RP that the
> user signs into, which is different than Yahoo's implementation. However,
> Google is sharing the user's email address which arguably is better suited
> for identity consolidation/correlation compared to an OpenID URL.
We only share the email address:
a) If the RP asks for it, and
b) The user consents.
>
> Allen
>
>
> Nate Klingenstein wrote:
>
> Nat,
> I agree, and I'm glad you highlighted this. Privacy also pertains strongly
> to other attributes. I think consistent use of AX as a transport protocol
> makes it much easier for sites to give proper privacy options to users.
> Separately, persistent opaque identifiers are a really good thing,
> especially when unique to a particular RP/SP. When Yahoo first made the
> decision to use them as the default in their implementation, I was worried
> that most of their applications, users, and developers would be baffled, and
> didn't know why they weren't targeted. I wonder if Allen has any new words
> of wisdom to share now that he has experience with them in practice.
> Take care,
> Nate.
>
> Now, IMHO, privacy advocates have much to say on this: correlations.
> So, we should tread carefully in this area, though.
>
> ________________________________
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
More information about the general
mailing list