<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
+1<br>
<br>
As a user I don't want my OpenID propagated to another site for
Single-Sign-on without the option to determine whether I want to be
authenticated at that site or not. Just because I can be authenticated
at a site (e.g. digg or slashdot) doesn't mean I want to be.<br>
<br>
Existing browser form fills (or the <a href="http://www.sxipper.com">sxipper</a>
plugin) do this already by recognizing the OpenID form field and
offering to automatically fill it in. This means I don't have to type
it in every time and yet allows me the flexibility to determine when I
want to authenticate and when I don't.<br>
<br>
Thanks,<br>
George<br>
<br>
Tan, William wrote:<br>
<blockquote cite="mid45BDDF46.8020601@neustar.biz" type="cite">
<pre wrap="">However, an RP (or OP) wouldn't randomly link to another site giving it
the openid_url of the logged in user since that would be a huge security
concern. I assume the use case is for keeping the user logged in within
affiliated sites only, kind of like moving between gmail and gcalendar
or something like that.
If the first RP that appends the openid_url parameter can be certain
that the target will process it and then redirect away to a URL with no
private information, then that's fine.
=wil
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
</body>
</html>