[OpenID] Fixing usability: can OPs indicate their claimed_id's are PPID's?

John Bradley ve7jtb at ve7jtb.com
Thu Oct 29 16:08:05 UTC 2009 

The OP can send a PAPE response even if there is no PAPE request.

Yahoo is including PAPE in all there responses.

The PPID URI has a specific meaning with respect to correlation.

Some providers (like Yahoo) use identifiers that are still  
correlatable simply to hide the email address where that is tied to  
the account name.

I don't think those should return the PPID PAPE URI.

This gets more complicated as the number of possible identifier types  
for openID expands.
For the moment we have XRI,  URL's that point to profile pages,  URL  
that don't point to profiles.

If we were to allow other things as claimed_id in the future it gets  
more complicated.

Perhaps another way to ask the question is if the claimed_id points to  
profile info.

If it doesn't then there is no real reason to try and use it as the  
local "username"

We also need to consider what new users are likely to understand.  The  
web site using a URL that points to a external profile page may be  
what we anticipate but it may be a surprise to a normal user.

While that may have been grate for the original blog commenting use  
case,  I don't know that it holds true for many consumer sites now  
taking openID.

John B.

On 2009-10-29, at 12:48 PM, Andrew Arnott wrote:

> A usability issue with OpenID is that while "blog.nerdbank.net"  
> makes for a reasonable "username" for an RP to display as I log in  
> with my "vanity URL", my Google-given claimed_id at an RP is not  
> suitable for display as my username.  Rather than have RPs hard-code  
> an increasing number of OPs that issue these, particularly since  
> some OPs can issue PPIDs at some times and not others based on user  
> preference, can we get OPs to somehow indicate with the assertion  
> that the identifier is not intended for human consumption?
>
> We already have a way: a PAPE authentication policy with this URI:  
> (which comes from the ICAM OpenID 2.0 profile)
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
>
> Can we get Google, and any other OPs that issue these identifiers,  
> to includes this PAPE policy?
>
> One possibility is to include this PAPE policy in the response if it  
> was included in the request, but if an RP doesn't particularly want  
> to request a PPID, but merely wants to know if it gets one,  
> requesting this policy in PAPE doesn't seem appropriate.
>
> Any other ideas?
>
> --
> Andrew Arnott
> "I [may] not agree with what you have to say, but I'll defend to the  
> death your right to say it." - S. G. Tallentyre
> _______________________________________________
> general mailing list
> general at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-general

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091029/c9877ff8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2468 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091029/c9877ff8/attachment.bin>

More information about the general mailing list