[OpenID] EU regulators call for tighter privacy provisions onOpenID, Facebook (U)
Allen Tom
atom at yahoo-inc.com
Fri Jun 19 04:41:54 UTC 2009
>
> Scenario #1 RP uses checkid_immediate with directed identity: the OP
> uses the last persona the user selected with that RP. This makes
> sense when the RP is using checkid_immediate to auto-login the user
> from their last session and just wants to make sure the user is still
> signed into their OP.
>
What if the user has multiple computers, and the user signs into the RP
using Persona1 on Computer1 and then signs in as Persona2 on Computer2.
At some point, the RP's session cookie on Computer1 expires, and it does
checkid_immediate. Does the OP respond back with Persona1 or Persona2?
Although I'm sure we could come up with a reasonable solution that makes
sense, in practice there are too many opportunities for the personas to
get mixed up that can be avoided if the user just used different accounts.
> Scenario #2 RP uses checkid_immediate with a claimed identifier the
> user has logged into the RP previously: OP can tell from the claimed
> identifier which persona is in use. This assumes personas are tied to
> identifiers, which they may not be.
Well, the spec does allow the OP to ignore the claimed identifier and to
just treat all requests as an OP-identifier.
Allen
More information about the general
mailing list