[OpenID] EU regulators call for tighter privacy provisions onOpenID, Facebook (U)

Allen Tom atom at yahoo-inc.com
Fri Jun 19 03:31:15 UTC 2009 

Hi Noel,

If the user wanted to to use different identifiers from the same OP on a 
given RP, then the user would probably need to have multiple accounts 
with the OP.

The scenario you describe is not a typical use case, the classic 
"directed identity" scenario is for the user to use an RP-specific 
identifier to prevent the user from being correlated across different 
RPs, and this is how the Google OP works by default.  If the user has 
the option to chose different identifiers everytime he visits the RP, 
then the OP will need to list the different identifiers that are 
available, and the user will have to remember which one to use. These 
options would make the OpenID UI much more complicated than the "click 
to sign in" UIs that we have today.

It is my opinion that users do want to have the ability to have 
different personas, but they don't necessarily need to have multiple 
personas tied to as single account at their OP. OpenID is often 
criticized for being overly complicated for mainstream users, so I'd 
prefer to keep the OpenID sign in flow relatively simple and 
straightforward. 

I only brought up email addresses in my previous post because most users 
already seem to understand how to manage multiple email addresses, and 
email addresses tend to be tied to different accounts. As OpenID becomes 
more widely adopted, users may have multiple OpenIDs, similarly to how 
they currently have multiple email addresses.

Allen


Dickover, Noel, CTR, NII/DoD-CIO wrote:
> UNCLASSIFIED
>
> Hi Tom,
>
> Just to clarify, if you are referring to the second bullet titled "Use of
> External OpenID Providers to use Multiple Identites when participating in
> Open Govt Conversations", what I was referring to there wasn't using
> multiple email addresses, but that a different URI would be given with each
> post command.  The difference I was trying to get at, and I fully admit I
> might have the right verbiage here, is that the user should have the option
> of either stringing a series of post commands to appear to be from the same
> user OR to have those series of post commands to have no ties to one
> another, other than that they originate from the same Identity Provider,
> like Yahoo.com, for instance.  I wasn't advocating multiple email addresses.
>
> If there is a better way to say this, especially one which will resonate to
> those unfamiliar with OpenID, give me the right words.
>
> Best,
>
> Noel 
>
> -----Original Message-----
> From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
> Behalf Of Allen Tom
> Sent: Thursday, June 18, 2009 8:48 PM
> To: Dickover, Noel, CTR, NII/DoD-CIO; OpenID List
> Cc: Noel Dickover
> Subject: Re: [OpenID] EU regulators call for tighter privacy provisions
> onOpenID, Facebook (U)
>
> Hi Noel,
>
> Thanks for sending the link to your blog post.
>
> Given that many people already have multiple email addresses for different
> uses and personas, is it really necessary for OpenID Providers to give users
> the option of using different OpenIDs when using the same account to sign
> into different websties?
>
> Users who already understand the concept of having multiple accounts for
> different purposes can just use different accounts for each persona (perhaps
> even using different OPs). OpenID enabled accounts are freely and easily
> available from many major identity providers, and encouraging users who do
> not want their identities correlated across multiple websites to just use a
> different account is probably a lot safer from a security and privacy
> perspective than expecting users to use a single account with a single OP,
> with multiple OpenIDs.
>
> Allen
>
>
>
> Dickover, Noel, CTR, NII/DoD-CIO wrote:
>   
>> I wrote a blog post on my thoughts for Privacy as it affects Open 
>> Government initiatives, and how OpenID could potentially help in the 
>> future.  They liked it enough that they asked to repost it on the 
>> PrivacyDC blog.  The link is here if anyone wants to give me some 
>> thoughts on it:
>>
>> http://privacycamp.wordpress.com/2009/06/16/gov2-0-privacy-issues-for-
>> pr
>> ivacycampdc/
>>
>>   
>>     
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20090618/c6fc7888/attachment.htm>

More information about the general mailing list