[OpenID] Proving your OpenID to foreign domain
SitG Admin
sysadmin at shadowsinthegarden.com
Tue Sep 8 22:58:29 UTC 2009
>OpenID will give me a URL that represents that user, but not contain
>the actual username. Is this being worked on or looked into?
In general, that sort of thing is left up to the particular foreign
domain implementing OpenID; were you specifically looking for an
answer from YouTube?
>I understand why the URL is not required to be the username,
If you're thinking "Because the numeric ID may be a user's primary
key for their entry within the database, and the alphanumeric string
never in danger of collisions with identical alphanumeric strings
from different accounts because the username is never used as a
primary key.", then, yes, I can understand too :)
>but I
>believe OpenID should provide a simple way of saying, "You requested
>proof of ownership for 'john.doe at youtube.com', and yes, the user is
>the owner".
A slightly different way of phrasing it, "You requested proof of
ownership for 'john.doe at youtube.com', and yes, I am the owner", may
still carry different implications; in UCI-land, the *user* has a
simple interface where they can choose to assert ownership of their
URL+username or merely to having an account at YouTube - or, to
abandon those UCI principles, users are merely (carriers for their)
security tokens, allowing foreign domains to request that sites share
information they have on accounts by username.
If sites begin openly sharing information by exploiting the users and
their browsers, privacy-valuing individuals may retaliate by
modifying their browsers to isolate sessions between sites. (Come to
think of it, Firefox already does this with some extensions; one that
limits cookies comes to mind.) If sites begin trying to detect this
by looking at such clues as IP address, more browser modifications
may begin routing all traffic through various darknets by destination
domain, challenging those of us who profess to be concerned about
identity collisions to either be more intelligent about it or write
them all off as a loss for their insistence on not playing by the
rules ;)
-Shade
More information about the general
mailing list