[OpenID] Correlating Identifiers

Ben Laurie benl at google.com
Fri Nov 7 09:23:05 UTC 2008 

On Thu, Nov 6, 2008 at 10:53 AM, Nat Sakimura <n-sakimura at nri.co.jp> wrote:
> The current implementation that we are doing allows user to choose
> non-correlating OpenIDs and correlating OpenIDs depending on the sites.
> I believe that is the way it should be.

I agree that that's the way it should be in an ideal world. The
interesting thing is: can you make it usable?

>
> =nat
>
> Christian Scholz / Tao Takashi (SL) wrote:
>> Hi!
>>
>> On Thu, Nov 6, 2008 at 1:06 AM, Allen Tom <atom at yahoo-inc.com> wrote:
>>
>>> Hi Nate -
>>>
>>> By default, Yahoo users get a single machine generated OpenID identifier
>>> which is used at all RPs that the user signs into. Because the identifier is
>>> not unique to the RP, the user can be identified across multiple sites.
>>>
>>> Prior to launching our OpenID service, Yahoo's policy with our proprietary
>>> SSO service was to issue RP-specific identifiers to prevent RPs from sharing
>>> data about the user and correlating user behavior across different sites.
>>>
>>> Based on our discussions with the OpenID community, we concluded that the
>>> spirit of OpenID is to allow a user to reuse the same identity across the
>>> net, which implied that we should not vary the identifier that is returned
>>> to RPs. We believe that there is value in having an identifier with a
>>> reputation attached to it, and that in the future, RPs may be able to take
>>> the user's reputation into account to optimize the content and services
>>> given to first time visitors.
>>>
>>
>> We had this discussion quite a bit on the DataPortability chat a while
>> back and I wonder if that's really working for everybody as maybe some
>> people don't want to be aggregated into a single identity. I might
>> want a different profile on different sites and those sites not to be
>> able to aggregate it. So basically let the user decide.
>>
>> But then again it depends on your provider if you can e.g. use
>> "yahoo.com" and not some personal identifier which then the site would
>> have anyway. So maybe this problem is one step before OpenID and some
>> service could allow you to attach different OpenIDs to the same set of
>> profiles you usually choose from (so the data for you at least is
>> still aggregated and centrally editable).
>>
>> Just a thought.
>>
>> -- Christian
>>
>>
>>
>>
>>
>>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>

More information about the general mailing list