[OpenID] Combining Google & Yahoo user experience research

Peter Williams pwilliams at rapattoni.com
Tue Oct 21 18:27:39 UTC 2008


I understood that UCI (in the OpenID vs the Cardspace sense) to be about user empowerment. It exists to break the notion that FaceBook (or some other IDP) controls the portability of buddy list. I control my buddy list. Period. The OP is just a contractor, to me; handling my copyrighted data aggregation.

For example, if Facebook decide that I violate their terms of contract, and suspend access without notice (or because the local secret police tell them to), there is no impact on me concerning my 2000 entries. I don't "suddenly" lose access to my social net, because of the IDPs policies. I get "portability" of my identity.

This is obviously not something the traditional SAML world ever believed in. There, the IDP is the trustee of your attribute, guarding your privacy. But there is a cost, it gets control. It participates in governance regimes that may or may not suit you (even if they suit the public in general).

----------

My point about SP affiliations is that this particularly nice feature from more advanced SAML world allows one dominant spoke to rely on an OP, and then signal other affiliate member spokes about its renaming activities. What is OpenID delegation, other than a renaming of URIs (at certain OPs)?

A cute way to have SAML and OpenID2 models converge would be to play with this idea, where only certain amounts of control are ceded by the user and that delegation is explicit. This user then has survivability, when the OP/IDP stops support him/her.



-----Original Message-----
From: Martin Atkins [mailto:mart at degeneration.co.uk]
Sent: Monday, October 20, 2008 12:07 PM
To: Paul Madsen
Cc: Peter Williams; general at openid.net
Subject: Re: [OpenID] Combining Google & Yahoo user experience research

Paul Madsen wrote:
> Thanks, OpenID's delegation mechanism is undeniably powerful (not sure I
> see the connection to SAML affiliations though?).
>
> But the enhanced ability to switch IDPs isn't the 'user empowering
> aspect' of OpenID I was asking about - rather the hardline view that a
> User's choice of OP takes complete priority over whatever the RP might
> think about the matter.
>
> Is an RP ever declining a user specified OP compatible with your view
> (at least my interpretation of) of user-centric?
>

The RP can do whatever it likes, of course.

It's up to the RP to decide whether they want my business enough to
respect my decision as to which OP I trust. I'm unlikely to go get a new
OP just because an RP doesn't like my current one. I'd just go find a
competing RP.





More information about the general mailing list