[OpenID] EU regulators call for tighter privacy provisions onOpenID, Facebook (U)

Peter Williams pwilliams at rapattoni.com
Fri Jun 19 02:52:09 UTC 2009 

The (painful) description sounds like the SAML2 websso's "transient" identifier - a notion that doesn't exist in openid. Each identifier released about you from an OP is distinct, so one cannot tell as an RP that the same user commanded some or other action at the RP. An OP may or may not be able to hold your accountable tho, despite the id firewall.

________________________________________
From: general-bounces at openid.net [general-bounces at openid.net] On Behalf Of Dickover, Noel, CTR, NII/DoD-CIO [Noel.Dickover.ctr at osd.mil]
Sent: Thursday, June 18, 2009 7:37 PM
To: Allen Tom; OpenID List
Cc: Noel Dickover
Subject: Re: [OpenID] EU regulators call for tighter privacy    provisions      onOpenID, Facebook (U)

UNCLASSIFIED

Hi Tom,

Just to clarify, if you are referring to the second bullet titled "Use of
External OpenID Providers to use Multiple Identites when participating in
Open Govt Conversations", what I was referring to there wasn't using
multiple email addresses, but that a different URI would be given with each
post command.  The difference I was trying to get at, and I fully admit I
might have the right verbiage here, is that the user should have the option
of either stringing a series of post commands to appear to be from the same
user OR to have those series of post commands to have no ties to one
another, other than that they originate from the same Identity Provider,
like Yahoo.com, for instance.  I wasn't advocating multiple email addresses.

If there is a better way to say this, especially one which will resonate to
those unfamiliar with OpenID, give me the right words.

Best,

Noel

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of Allen Tom
Sent: Thursday, June 18, 2009 8:48 PM
To: Dickover, Noel, CTR, NII/DoD-CIO; OpenID List
Cc: Noel Dickover
Subject: Re: [OpenID] EU regulators call for tighter privacy provisions
onOpenID, Facebook (U)

Hi Noel,

Thanks for sending the link to your blog post.

Given that many people already have multiple email addresses for different
uses and personas, is it really necessary for OpenID Providers to give users
the option of using different OpenIDs when using the same account to sign
into different websties?

Users who already understand the concept of having multiple accounts for
different purposes can just use different accounts for each persona (perhaps
even using different OPs). OpenID enabled accounts are freely and easily
available from many major identity providers, and encouraging users who do
not want their identities correlated across multiple websites to just use a
different account is probably a lot safer from a security and privacy
perspective than expecting users to use a single account with a single OP,
with multiple OpenIDs.

Allen



Dickover, Noel, CTR, NII/DoD-CIO wrote:
> I wrote a blog post on my thoughts for Privacy as it affects Open
> Government initiatives, and how OpenID could potentially help in the
> future.  They liked it enough that they asked to repost it on the
> PrivacyDC blog.  The link is here if anyone wants to give me some
> thoughts on it:
>
> http://privacycamp.wordpress.com/2009/06/16/gov2-0-privacy-issues-for-
> pr
> ivacycampdc/
>
>

_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list