[OpenID] The difference between "Allow Once" and "Allow Forever" when logging in for the first time

Jason Spiro jasonspiro4+taglist at gmail.com
Fri Jan 7 06:24:42 UTC 2011 

Hi all,

Thanks for designing OpenID.  I'm an Internet user and would like help
understanding the difference between providers' "Allow Once" and "Allow Forever"
buttons.

Today, I went to www.superuser.com -- which is a sort of web forum.  I'd never
contributed to superuser.com.  When I tried to contribute, it asked me to log in
or register.  I entered my OpenID, which is http://claimid.com/jasonspiro . 
This took me to https://openid.claimid.com/login which asked me to type in my
ClaimID.com username and password, which I did.

Now for the confusing part.  It showed me the following question.

    You're about to log in to http://superuser.com/users/authenticate/ (sweet!)

    Click Log In or Log In and Trust to log in to
http://superuser.com/users/authenticate/.
    (Log In and Trust adds this site to your list of trusted sites.)

    [ Log In ]  [ Log in and Trust ]  [ Cancel ]

I had no idea whether to Trust or not.  ClaimID.com is definitely not as easy to
use as it could be, since ClaimID.com didn't explain to me what "trust" means,
and even a Google search for [ claimid "log in and trust" ] didn't help.  Now,
having done more research, it seems to me that ClaimID's "Log In" is like a few
other OpenID providers' "Allow Once" button, and "Log In and Trust" is like
their "Allow Forever" button.

But what do "Allow Once" and "Allow Forever" do?  Having spent more time
researching this than I'd like, I found a wiki page[1] by Evan Prodromou.  The
wiki page seems to me to mean that "Allow Once" lets superuser.com find out
information that I've shared with ClaimID, like my current name, email address,
and the city where I live, but only lets superuser.com find it out once.  "Allow
Forever" will let superuser.com find out my current name, email address, and
city, and if I change my name, email address, or city that I have stored on file
with ClaimID, superuser.com can get updates.  And this is the only difference
between the two buttons.

Is my understanding, as I've explained it in the preceding paragraph, correct?

Also, why does it seem that many major OpenID providers don't provide a "Help"
link right next to the "Allow Once" and "Allow Forever" buttons that tells me
what the difference between the buttons is?

Thanks in advance,
-Jason

^  [1].  http://evan.prodromou.name/OpenID_Privacy_Concerns

More information about the general mailing list