[OpenID] OpenID SREG best practice question
Breno de Medeiros
breno at google.com
Wed Nov 12 17:53:11 UTC 2008
On Wed, Nov 12, 2008 at 8:20 AM, George Fletcher <gffletch at aol.com> wrote:
> Hi,
>
> I've been re-reading the SREG spec and I'm unsure as to the best/correct
> behavior in the case that an RP asks for SREG data that the user has
> already provided/consented to in the past. I see at least 3 options..
>
> 1. Should the OP (which knows the user gave consent for the requested
> fields) just not return them (on the principal that the fewer times
> "PII" flows over the wire the more the user's privacy is protected)?
In the Google implementation of AX for email, we send the email
everytime that the user is prompted. So, if the user selects
auto-approval and the authentication is transparent to the user, the
email is not sent. If the value of the email changes from the value
last sent, the user is prompted (even if he has opted for
auto-approval) and the new value is sent (if user consents).
We this is a good balance between disclosing "sensitive" attributes
only with user consent, while providing the ability to keep the RP
up-to-date with the user email, and also support transparent
authentication. If we expand support for other attributes that are
less sensitive than email we may adopt a different balance for those.
>
> 2. Should the OP silently (meaning no UI message relating to SREG)
> return the requested data if the user has given consent in the past (on
> the principle that the user gave consent in the past so this data can be
> returned without asking the user again).
>
> 3. Should the OP always ask the user what to do but defaulting the data
> that is sent based on the previous consent? This adds a UI page to every
> OpenID authentication that requests SREG data.
>
> Has anyone else worked through these issues? Any best practices to follow?
>
> Thanks,
> George
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
--
--Breno
+1 (650) 214-1007 desk
+1 (408) 212-0135 (Grand Central)
MTV-41-3 : 383-A
PST (GMT-8) / PDT(GMT-7)
More information about the general
mailing list