<div class="gmail_quote">On Wed, May 20, 2009 at 9:28 AM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
If you're signed in to your Gmail account and you use your Gmail account as your OpenID, why wouldn't you want to automatically be signed in to all the sites that you've linked your Gmail identity to (that's rhetorical - I can think of reasons too)?<br>
</blockquote>
<br>
The only one occurring to me is privacy. From a security perspective, if various RP's will accept OpenID logins from the terminal you're at as having your Google identity, without Google requiring further verification from the user at this terminal (only PRESUMED to be you), there is no difference between being logged out of a given RP and being logged back in - because you still CAN log back in, or anyone with access to the same terminal can, without any further verification.</blockquote>
<div><br></div><div>Two responses:</div><div><br></div><div>1. most OPs allow you to specify something like "Remember this decision" — which means that you don't want to be asked the next time that RP tries to sign you in again. This keeps this flow in your control (as checkid_immediate would fail).</div>
</div>2. Since you must manually associate or link your accounts, you shouldn't do so if you don't want the automatic sign in behavior. In other words, unless you've already linked your Google and Facebook account, you won't get the benefit of automatic sign in, so you do so intentionally.<br>
<br clear="all">There does appear to be a need to better specify, from a user experience and language perspective, how to handle the "public terminal" (what I call the "Apple store situation") case, where the browser session might be shared or accessed by other people.<div>
<br></div><div>Still, that's largely covered by links that say things like "Not [other person's name]? Sign in as a different user."<br><div><br></div><div>This doesn't prevent someone from access your account or pretending to be you, but if someone wants to hack in to your account, they'll figure it out somehow — leaving yourself signed in accidently is probably more of an annoyance for someone else that wants to access her account than a real security issue that can be addresses technologically (besides having best practices around time out and stuff like that).</div>
<div><br></div><div>Chris</div><div><br>-- <br>Chris Messina<br>Open Web Advocate<br><br><a href="http://factoryjoe.com">factoryjoe.com</a> // <a href="http://diso-project.org">diso-project.org</a> // <a href="http://openid.net">openid.net</a><br>
This email is: [ ] bloggable [X] ask first [ ] private<br>
</div></div>