[OpenID] Fixing usability: can OPs indicate their claimed_id's are PPID's?

Shane B Weeden sweeden at au1.ibm.com
Thu Oct 29 23:14:22 UTC 2009 

With the competing requirements of privacy vs vanity-url I believe it's
likely RP's are going to have to move away from displaying the
user-supplied or claimed identifier and relying on SREG/AX for the "display
name", at least for OP-identifier based logins. If no data is available
from SREG/AX, a locally stored profile on the RP will need to store the
display name.  Some RP's are only ever going to use the claimed identifier
as an account lookup key (e.g. those using the ICAM PAPE policy
http://www.idmanagement.gov/schema/2009/05/icam/no-pii.pdf). In that case
anything displayed about the user will have to be stored/managed by the RP
itself anyway.




                                                                                                                                     
  From:       Andrew Arnott <andrewarnott at gmail.com>                                                                                 
                                                                                                                                     
  To:         general <general at openid.net>, Breno de Medeiros <breno at google.com>                                                     
                                                                                                                                     
  Date:       30/10/2009 01:50 AM                                                                                                    
                                                                                                                                     
  Subject:    [OpenID] Fixing usability: can OPs indicate their claimed_id's are      PPID's?                                        
                                                                                                                                     
  Sent by:    openid-general-bounces at lists.openid.net                                                                                
                                                                                                                                     





A usability issue with OpenID is that while "blog.nerdbank.net" makes for a
reasonable "username" for an RP to display as I log in with my "vanity
URL", my Google-given claimed_id at an RP is not suitable for display as my
username.  Rather than have RPs hard-code an increasing number of OPs that
issue these, particularly since some OPs can issue PPIDs at some times and
not others based on user preference, can we get OPs to somehow indicate
with the assertion that the identifier is not intended for human
consumption?

We already have a way: a PAPE authentication policy with this URI: (which
comes from the ICAM OpenID 2.0 profile)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier

Can we get Google, and any other OPs that issue these identifiers, to
includes this PAPE policy?

One possibility is to include this PAPE policy in the response if it was
included in the request, but if an RP doesn't particularly want to request
a PPID, but merely wants to know if it gets one, requesting this policy in
PAPE doesn't seem appropriate.

Any other ideas?

--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
_______________________________________________
general mailing list
general at lists.openid.net
http://lists.openid.net/mailman/listinfo/openid-general

More information about the general mailing list