<h2 style="font-weight: normal;"><font size="2">As I had posted the same topic on my blog (<a href="http://www.solution-media.de/blog/2007/03/06/openid-consumer-ping-service/">http://www.solution-media.de/blog/2007/03/06/openid-consumer-ping-service/
</a>) I would like to post the results of the discussion over there to the mailinglist:</font></h2><br><h2>Reader Comments</h2>
<a name="comment-28"></a>
<div id="comment_28" class="comment">
<dl class="metadata reduced"><dt class="comment_number">Comment Number:</dt><dd class="comment_number">1</dd><dt class="writer">Written by:</dt><dd class="writer"><a href="https://certifi.ca/" rel="external nofollow">
Evan Prodromou</a><br></dd><dt class="timedate">Posted on:</dt><dd class="timedate">March 8, 2007 at 12:31 am <a href="http://www.solution-media.de/blog/wp-admin/post.php?action=editcomment&comment=28">Edit</a></dd></dl>
<div class="content">
<p>This
sounds like a very useful service for the OpenID community. However,
for the individual OpenID user, I think there's a danger of privacy
violation. I don't think part of the implicit "social contract" of
OpenID is that trust roots of RPs that a user is logging into get
published to another site without their consent. In fact, I don't think
any part of the user's login should be reported to a third party
without their knowledge or consent.</p>
<p>For example, if I were starting a new, unlaunched Web site, and I
was testing its OpenID functionality, I'd be pretty mad if its trust
root URL showed up in a public directory. If the trust root was for an
embarrassing web site, or if it included personally-identifying
information, I think it would also be a problem.</p>
<p>I think that there's a possibility for using this service that would
minimize intrusion and privacy concerns. A couple of ideas: an opt-in
checkbox on the trust form for when the user first logs in using some
trust root ("(Optional) Add this trust root to the OpenID Directory?"),
and caching trust roots at the IdP side so it doesn't ask unless the
URL is really new.
</p>
</div>
</div>
<a name="comment-29"></a>
<div id="comment_29" class="comment">
<dl class="metadata reduced"><dt class="comment_number">Comment Number:</dt><dd class="comment_number">2</dd><dt class="writer">Written by:</dt><dd class="writer"><a href="http://www.solution-media.de/blog/?page_id=2" rel="external nofollow">
thuhn</a><br></dd><dt class="timedate">Posted on:</dt><dd class="timedate">March 8, 2007 at 11:34 am <a href="http://www.solution-media.de/blog/wp-admin/post.php?action=editcomment&comment=29">Edit</a></dd></dl>
<div class="content">
<p>Hi Evan,<br>I
absolutely agree on the checkbox idea. I already proposed this on the
OpenID general mailinglist. I think it fits in well on the screen you
see when you first login to a site. </p>
<p>The caching mechanism could even be improved if we would offer a
ping-service that allows you to check if the trustroot is already
submitted to the OpenID Directory (after checking that the URL is new
to the IdPs own database).</p>
<p>But as we are coming closer to the relaunch of the OIDD we may have
to rethink the ping-service again. The new OIDD will have OpenID login
(and nothing else <img src="http://www.solution-media.de/blog/wp-includes/images/smilies/icon_wink.gif" alt=";-)" class="wp-smiley"> ) and the possibility to take control of the title, description, thumbnail etc. of the sites you submitted yourself.
</p>
<p>But who should submit sites at all? The webmasters themselfs, I
think. For the moment we do not ckeck if the submitter of a site is its
owner (by micro-ids e.g.), but this can be an issue if we get
complaints about this liberal practice.</p>
<p>So the question is if we should leave it up to the user of an IdP to
add a site to the OIDD or should we at least try to catch only the
webmasters by simply putting a button there saying "Are you the
webmaster of this trustroot? Add your site to the public OpenID
Directory for free!". This could jump to a new window (not interrupting
the login process) leading the webmaster to the OIDD submission. Here
he can take full control over the represantation of his site.</p>
<p>BTW, this would mean less manual work for the editors of the OIDD and
better control for webmasters. This would also mean omitting the
auto-submission and replacing it by a simple service that returns you a
yes or no answer for the question if a trustroot is already listed on
the OIDD.
</p>
</div>
</div>