[OpenID] Feedback from OpenID demo

SitG Admin sysadmin at shadowsinthegarden.com
Wed May 27 07:44:56 UTC 2009 

>Let's be realistic. This type of situation does not apply to the 
>majority of the readers of this list, not to mention the rest of the 
>internet.

With an OP designed for security, it should - give users an 
out-of-band way to temporarily activate their ability to login, 
otherwise leave it inaccessible and therefore beyond break-ins :)

I do lots of simple little tricks, myself, that simply aren't 
available in commercial OP's yet, but I fully expect will become SOTA 
someday.

>>  If a RP were to check back in again later on, when I had not 
>>explicitly commanded it to do
>>  so (and thus been expecting that, in advance, so I knew to make this
>>  possible), it would then experience an error.
>
>Then you have chosen not to support checkid_immediate.

Not so! I can always re-enable access (the OP is up and running at 
all times, it's just that nobody can get through to it unless I say 
so) just long enough for the OP to say "I'm still here"; because it 
doesn't need to have an active session with an RP, it's generally 
fine with that.

>But it's not like this is some crazy idea from left field - it is in the spec.

Short of the RP doing a timing analysis to detect whether the user 
has "probably" been interacting with their OP instead of merely 
having a slow pair of automatic Redirects, it may be impossible to 
determine whether the user is seeing checkid_immediate as regular 
login. (I do; I get prompted for whether I trust the RP with my 
identity *this* time, and then, if I still have an active session 
with my OP, it *doesn't* ask me to authenticate again.)

>The changes that Bill and I proposed (way back on the thread) are to 
>make it *possible* for an OpenID provider to *offer* its users the 
>ability to have a single signon/signout concept.

Optional is fine, I'm still pursuing what Chris said (even further 
back up, on an earlier thread) about needing to determine (for 2.1) 
what is *meant* by "logging out". It should certainly be possible to 
say "For these RP's, where I am already (officially) logged in, 
respond to checkid_immediate if our session is still valid, but 
otherwise pretend not to know me if any other login requests are 
received." and have that be single-signout.

Focusing on this thread, then, Bill's informal user querying seems to 
suggest that such a feature would be counter-intuitive. I think we 
should try to fully understand what the (logical) expectations are 
from the old (pre-OpenID) login system, then compare those to what 
we'll see in the new (OpenID) system. Explanations can then be 
prepared so users know *exactly* what they're getting into. Trial 
runs of the feature could then include that variable to anticipate 
how many users *really* knew what they were getting into (or figured 
it out on their own before an explanation was given to them), and how 
many got upset about it (even changed their minds about using it) 
when they discovered the implications.

I'm not sure that would be enough. Surprise evinced by users at 
identity theft that had been taking place for a long period of time 
suggests that they didn't know, and were happy about it.

-Shade

More information about the general mailing list