[OpenID] "This is user's URI" for Assertion Quality Extension
SitG Admin
sysadmin at shadowsinthegarden.com
Mon Sep 8 18:16:40 UTC 2008
I've decided to eliminate tracking and discrimination for the
typed-in URI, since Directed Identity renders this previously
envisioned scenario indistinguishable from regular use:
http://openid.net/pipermail/general/2008-April/004533.html
It can still be detected, but using attributes such as IP address
rather than relying on OpenID to be secure (which it is, but some
implementations may fail to follow the spec, as described in the link
above).
>To me http://openid.aol.com/gffletch is not different than a 2.0
>pseudonymous identifier of
>http://openid.aol.com/asdjff92rasldkf2f339r.
Since there's nothing stopping an OP from serving up the same
(default) headers for any openid.aol.com page and then asking the
user "Okay, who are you, *really*?" when they arrive for
authentication, I've been coming to realize that even a URI page that
"really exists" can't be distinguished from a user that is keeping
their Profile blank.
It's starting to look like out-of-band correlation of
identity/attributes through AX or other means is the only way of
enhancing value this way, and the real question we'd be asking is
"How private does this user want to be?".
I'll be posting soon about out-of-band correlation of identity.
>I could see AX being used to present information to an RP about the
>"validity" or "reputation" of an OpenID such that the RP could make
>decisions based on that data.
It seems we've discussed this before :)
http://openid.net/pipermail/general/2008-August/005402.html
>Or as you say, the RP could track activity of an identifier and
>increase user privileges as certain activities are completed.
I was thinking "level of activity" (can't just register an account
elsewhere and say "See? Here!", have to be doing stuff *as* that
identity), but targeting certain activities the RP likes to encourage
- it has potential!
. . . both ways. I can see RP's saying "Do stuff on our partner's
sites instead of their competitor's, and we'll upgrade your service."
Could still work out okay though, if RP's strike the right balance
between "Premium features that most users don't care about." and
"Basic functionality that would require users to switch to most of
the partners just to receive service that is immediately available on
other sites." (whereupon the users might depart for less restrictive
sites).
-Shade
More information about the general
mailing list