[OpenID] Fixing usability: can OPs indicate their claimed_id's are PPID's?

Andrew Arnott andrewarnott at gmail.com
Thu Oct 29 16:15:55 UTC 2009 

Santosh,

Don't forget that some RPs (like mine) don't want the email address or full
name of the user.  OpenID has already solved the problem of RP and OP
recognizing the user.  So I agree this isn't particularly about the RP or OP
-- but more about helping the user recognize that indeed he is the one
logged into the RP he's clicking around within.  But to do that, we need
additional RP-OP communication.  So it is about the RP and OP after all.

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre


On Thu, Oct 29, 2009 at 9:09 AM, Santosh Rajan <santrajan at gmail.com> wrote:

> Hi Andrew,
> This is really not about the RP or the OP. It is about the "user". If the
> user agree's then Google already provides his email address, and name.
> Maybe we need to re-think the whole issue.
>
>
>
> On Thu, Oct 29, 2009 at 9:18 PM, Andrew Arnott <andrewarnott at gmail.com>wrote:
>
>> A usability issue with OpenID is that while "blog.nerdbank.net" makes for
>> a reasonable "username" for an RP to display as I log in with my "vanity
>> URL", my Google-given claimed_id at an RP is *not* suitable for display
>> as my username.  Rather than have RPs hard-code an increasing number of OPs
>> that issue these, particularly since some OPs can issue PPIDs at some times
>> and not others based on user preference, can we get OPs to somehow indicate
>> with the assertion that the identifier is not intended for human
>> consumption?
>>
>> We already have a way: a PAPE authentication policy with this URI: (which
>> comes from the ICAM OpenID 2.0 profile)
>>
>> http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
>>
>> Can we get Google, and any other OPs that issue these identifiers, to
>> includes this PAPE policy?
>>
>> One possibility is to include this PAPE policy in the response if it was
>> included in the request, but if an RP doesn't particularly want to *
>> request* a PPID, but merely wants to know if it gets one, requesting this
>> policy in PAPE doesn't seem appropriate.
>>
>> Any other ideas?
>>
>> --
>> Andrew Arnott
>> "I [may] not agree with what you have to say, but I'll defend to the death
>> your right to say it." - S. G. Tallentyre
>>
>> _______________________________________________
>> general mailing list
>> general at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-general
>>
>>
>
>
> --
> http://hi.im/santosh
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091029/7fcc0514/attachment.htm>

More information about the general mailing list