Simon,<br><br>First off, I agree with others on the list that the Sun use of inferring attribute data is different than what Peter Sefton initially asked about. Even so, (for the record), I'm not rock-solid against what you're advocating, but a few good arguments in favor of not using the OpenId itself to indicate profile/attribute information are as follows:
<br><br>1.) Inferring attribute data from an OpenId is IMHO an "anti-Best Practice" for an *OP* because it ties the hands of an OP (if the OP desires to not lose credibility in the marketplace later on). From P. Windley, "What
if Sun decides to open it up to everyone next year and in the
meantime, systems have been deployed assuming that only Sun employees
are entitled to these identifiers?". Arguably, Sun won't be able to become a generic OP without upsetting a lot of RPs (assuming RP's actually deploy code that interfaces with Sun OpenIds in this way).<br><br>
2.) Inferring attribute data from an OpenId is IMHO an "anti-Best Practice" for an *RP*, since an OP might change it's policies without notifying every RP. How will a given RP know if Sun decides to relax is policies concerning "Sun OpenIds are only used by Sun Employees"? This could create security headaches depending on what is inferred by a given OpenId.
<br><br>3.) The attribute inferences are way too subjective.<br>What exactly is a "Sun Employee", anyway? For example, are sun contractors considered employees? I suppose the definition will be set by Sun somewhere, but it's not scalable for everybody to be defining their own attribute
data in this fashion, unless there is a common way to translate what this attribute
data *means* (AX is trying to do something like this). Without such standardization, how will RP's and OP's know which attribute info to infer from a given openid? <br><br><br><div><span class="gmail_quote">
On 5/22/07, <b class="gmail_sendername">Simon Willison</b> <<a href="mailto:simon@simonwillison.net" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
simon@simonwillison.net</a>> wrote:</span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
On 5/22/07, David Fuelling <<a href="mailto:sappenin@gmail.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">sappenin@gmail.com</a>> wrote:<br>> Only a few weeks ago, when Sun announced that all of their employees would
<br>> have OpenId's (and by proxy, all of these employees could identifi
<br>> themselves as sun employees using these ids) there was a lot of discussion<br>> (around the web) relating to why this is a bad idea.<br><br>I'd really like to see some URLs for this - as far as I was aware the
<br>only public negative commentary was here - and even that wasn't very<br>strongly worded:<br><a href="http://www.windley.com/archives/2007/05/sun_supports_openid_and_opens_the_question_of_reputation.shtml" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://www.windley.com/archives/2007/05/sun_supports_openid_and_opens_the_question_of_reputation.shtml
</a><br><br>As someone who is a big proponent of the idea of OpenIDs from<br>different providers meaning different things I would be very<br>interested in hearing the arguments against.<br><br>Cheers,<br><br>Simon<br></blockquote>
</div><br>