[OpenID] correlatable identifiers - Should Openid's resolve to their descriptors in v.next?

Peter Watkins peterw at tux.org
Sat Nov 28 15:31:54 UTC 2009 

On Thu, Nov 19, 2009 at 01:50:45PM -0300, John Bradley wrote:

> In the Gov case the RP doesn't want a correlatable identifier and in some cases may be legally prohibited from taking one.
> 
> What identifier is used to discover the identifier select service is another question.  It doesn't need to be a URL in the future.

Amen! And I say that as someone with a who runs a (small) .gov web SSO system 
that accepts OpenID (including XRI). All I need from OpenID is reliable, unique 
identifiers. I want the system to be such that our users can trust that OPs 
like Google and Yahoo are not leaking information without their consent. Or,
more to the point, that RPs like us are not getting any info without consent.

Leah, thanks for the TypePad stats. At first glance I thought, wow, we have
a presence on Twitter and Facebook, maybe we really should allow those login
choices, too. I mean, just look at your Facebook usage! But I don't want 
users being forced to give us their public Twitter and Facebook identifiers 
just to log in (and I sure don't want to ask for any special rights to the 
users' OP account info -- not the simple "read" access on Twitter, and 
certainly not the "extended" access that Facebook offers FB apps).

I *do* like having *optional* mechanisms for asking the OP for more
information -- if a user *wants* Yahoo to send us their email address, 
that's fine. 

Don't force users to divulge anything more than a unique identifier.
The day OpenID requires OPs to divulge personal info beyond opaque 
IDs like those that Google and Yahoo offer for directed identity is 
the day we start formulating a plan to phase out OpenID. 

I know that many on this list see OpenID as more of a nym/Digital ID 
system -- look at all the early examples of blog hostnames as identifers.
OpenID's strongest selling point for us right now is that it is a simple, 
lightweight, trustworthy protocol for federated authentication. I hope 
that any future work to make OpenID more valuable for "digital identity" 
won't compromise that.

-Peter

More information about the general mailing list