[OpenID] EU regulators call for tighter privacy provisions onOpenID, Facebook (U)
Andrew Arnott
andrewarnott at gmail.com
Fri Jun 19 02:23:11 UTC 2009
Hi Allen,
Just my two cents on the multiple personas at a single OP... the OpenID
security best practices document that was just published mentioned that RPs
are encouraged to not use persistent session cookies, but rather persistent
OpenID Claimed Identifier cookies, so that each time the user visits an RP,
he can be automatically logged in if and only if he is logged into the OP.
This sounds like a good paradigm to work toward.
But it won't work so well if users are forced to have multiple accounts at
the OPs in order to manage their multiple personas. For instance, if I must
have two Yahoo accounts to manage my two personas, then I can only be logged
into one of them at once, which forces me to keep logging into "the other
one" each time I visit an RP that happens to use a different persona than
the last RP I visited.
Contrast that to Yahoo supporting multiple personas: I'm logged into all of
them at once, so no matter which RP I visit as a Yahoo! customer, Yahoo can
implicitly log me into those RPs regardless of which claimed_id and/or
persona from Yahoo I used to log in with them.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
On Thu, Jun 18, 2009 at 5:47 PM, Allen Tom <atom at yahoo-inc.com> wrote:
> Hi Noel,
>
> Thanks for sending the link to your blog post.
>
> Given that many people already have multiple email addresses for different
> uses and personas, is it really necessary for OpenID Providers to give users
> the option of using different OpenIDs when using the same account to sign
> into different websties?
>
> Users who already understand the concept of having multiple accounts for
> different purposes can just use different accounts for each persona (perhaps
> even using different OPs). OpenID enabled accounts are freely and easily
> available from many major identity providers, and encouraging users who do
> not want their identities correlated across multiple websites to just use a
> different account is probably a lot safer from a security and privacy
> perspective than expecting users to use a single account with a single OP,
> with multiple OpenIDs.
>
> Allen
>
>
>
> Dickover, Noel, CTR, NII/DoD-CIO wrote:
>
>> I wrote a blog post on my thoughts for Privacy as it affects Open
>> Government initiatives, and how OpenID could potentially help in the
>> future. They liked it enough that they asked to repost it on the
>> PrivacyDC blog. The link is here if anyone wants to give me some
>> thoughts on it:
>>
>> http://privacycamp.wordpress.com/2009/06/16/gov2-0-privacy-issues-for-pr
>> ivacycampdc/
>>
>>
>>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090618/c4cc79fe/attachment.htm>
More information about the general
mailing list