[OpenID] Widgets and other aggregation

[SitG Admin]

I've been thinking about the ability of OP's to log in as any user 
they (have the power to) represent, whether acting on behalf of that 
user or not. Some (especially where the OP is already a walled 
garden, and wants to keep the user's UX consistent with their own 
skin) will want to act like an RSS client and check in with RP's, 
repackage the information, then present it to the user in the desired 
format. It would be like a widget, presenting cherry-picked 
information combined from all your favorite OpenID-enabled sites.

This is even conceivably desirable as a privacy benefit, since other 
RP aren't authorized to know what skins the user prefers at their OP 
(and secondarily it then becomes a *security* benefit, inasmuch as 
the use of any *other* skins would break UX consistency and alert the 
user to an attacker's attempt to spoof the OP).

But this complicates accountability; suddenly, without the user's 
knowledge or consent, a "feature" at their OP is providing 
potentially confidential data to a site (their OP) that has not 
signed any legally binding contracts with the user *or* the RP; a 
site with unknown security standards, that may be trivially hacked 
into; a site with unknown privacy policies, that may share with 
undisclosed 3rd parties the data it accesses; a site with unknown 
data retention policies, but even if it promises to keep the data 
"just long enough to display for the user" I (for one) would STILL 
have objections, mostly for the other reasons stated).

-Shade