<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Mark,<br>
<br>
It is fine to give people the choice to use their phone number as their
OpenID, however I do believe that it is an OP's duty and responsibility
to inform their users as to why this might not be a good idea. This
applies not only to phone numbers, but also to email and IM based IDs.<br>
<br>
While phone numbers and other personal contact information are already
posted on the net, ]users are usually able to control whether or not it
is displayed, and to whom it displayed to. The new twist with OpenID
is that a someone may signin to an RP using their phone based OpenID,
later regret the decision, and might not have a way to delete or hide
their contact info. <br>
<br>
A completely different issue regarding phone based OpenIDs is that
phone numbers are often recycled. Is the OP supposed to periodically
verify that the user still owns the claimed phone number? What happens
if the phone number changes ownership? Is the OP required to hand over
the OpenID to the new owner? If so, is the original owner locked out of
all the sites that where he used his OpenID? <br>
<br>
I do believe that the OpenID community should develop standard
guidelines and best practices regarding OpenIDs and privacy, as well as
address the ID recycling issue (as this is not limited to phone
numbers). These questions are bound to come up if mass adoption is ever
seriously considered, and it would be beneficial to the entire
community if we have consensus on the the answers before the lawyers
come asking.<br>
<br>
Allen<br>
<br>
<br>
Mark Cross wrote:
<blockquote cite="mid00d701c74b00$2adb8060$9700000a@mark" type="cite">
<pre wrap="">Dear Allen,
I agree with nearly all your arguements here and perhaps I need to think on
but:
- Nobody is forcing you to use your mobile - it's your choice (& just my
idea)
- We have phone numbers on net anyway, so what's the difference from a
harvesting POV?
Thank you for your feedback,
Mark
----- Original Message -----
From: "Allen Tom" <a class="moz-txt-link-rfc2396E" href="mailto:atom@yahoo-inc.com"><atom@yahoo-inc.com></a>
To: "Chris Messina" <a class="moz-txt-link-rfc2396E" href="mailto:chris.messina@gmail.com"><chris.messina@gmail.com></a>; <a class="moz-txt-link-rfc2396E" href="mailto:sites@thirdvisit.co.uk"><sites@thirdvisit.co.uk></a>;
<a class="moz-txt-link-rfc2396E" href="mailto:general@openid.net"><general@openid.net></a>
Sent: Wednesday, February 07, 2007 8:47 PM
Subject: Re: [OpenID] PR: OpenID.co.uk - "MobileNumber.OpenID.co.uk" as URI
</pre>
<blockquote type="cite">
<pre wrap="">I really believe that it is not a good idea to encourage people to use
personal contact infomation as their OpenIDs, which applies to both phone
number and email/IM based IDs. The reason is that spammers and griefers
will make life unbearable for people using these IDs.
The user's OpenID will invariably be displayed at many RPs, and if the
user's contact information could be easily determined by the OpenID, it
would just be a matter of time before OpenID gets a bad rep for attracting
spam, and everyone switches back to disposable IDs again, or abandons
OpenID altogether.
This is the same argument as to why it is not a good idea to post your
email address, IM screenname, or phone number online, especially if its on
some random RP that you're not all that familar with.
For OpenID to succeed, it is very important that the early adopters think
very carefully about these issues, or else OpenID could develop a poor
reputation, preventing its widespread adoption.
Allen
Chris Messina wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Perhaps the better way to think about this is as a personal OpenID
alias? So rather than publishing it all over the place, an iDP might
offer "phone number aliasing" to help people remember their openids...
So say I sign up on JanRain and add my phone number -- which is
confirmed by SMS or callback code system... Perhaps I could then use
[phonenumber].myopenid.com to login... Just a thought.
Chris
On 2/7/07, Allen Tom <a class="moz-txt-link-rfc2396E" href="mailto:atom@yahoo-inc.com"><atom@yahoo-inc.com></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi Mark,
Exposing one's phone number might not be a good idea for everyone, as
griefers and stalkers would have an easy way to harass people who had
phone number based IDs.
Also, what happens if and when a phone number is recycled?
Allen
<a class="moz-txt-link-abbreviated" href="mailto:sites@thirdvisit.co.uk">sites@thirdvisit.co.uk</a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi,
Shameless plug:
<a class="moz-txt-link-freetext" href="http://www.openid.co.uk">http://www.openid.co.uk</a>
Please visit and digg if you like it!
Cheers Mark
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
<pre wrap="">_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap="">
</pre>
</blockquote>
<pre wrap=""><!---->
_______________________________________________
general mailing list
<a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
<a class="moz-txt-link-freetext" href="http://openid.net/mailman/listinfo/general">http://openid.net/mailman/listinfo/general</a>
</pre>
</blockquote>
<br>
</body>
</html>