This auto-login aggravates the need for a single-signout. If RPs start to auto-login their users, then it's no longer even a matter of "I log out of every site I log into before I leave the terminal". Now it's "I log out of my OP <i>first</i>, then I revisit <i>every </i>site I've merely visited (whether or not I explicltly logged in during this session) on this terminal and make sure I'm explicitly logged out of it before leaving". That's an <i>awful</i> user story.<br>
<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Wed, May 20, 2009 at 9:36 AM, Chris Messina <span dir="ltr"><<a href="mailto:chris.messina@gmail.com">chris.messina@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="gmail_quote"><div class="im">On Wed, May 20, 2009 at 9:28 AM, SitG Admin <span dir="ltr"><<a href="mailto:sysadmin@shadowsinthegarden.com" target="_blank">sysadmin@shadowsinthegarden.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
If you're signed in to your Gmail account and you use your Gmail account as your OpenID, why wouldn't you want to automatically be signed in to all the sites that you've linked your Gmail identity to (that's rhetorical - I can think of reasons too)?<br>
</blockquote>
<br>
The only one occurring to me is privacy. From a security perspective, if various RP's will accept OpenID logins from the terminal you're at as having your Google identity, without Google requiring further verification from the user at this terminal (only PRESUMED to be you), there is no difference between being logged out of a given RP and being logged back in - because you still CAN log back in, or anyone with access to the same terminal can, without any further verification.</blockquote>
<div><br></div></div><div>Two responses:</div><div><br></div><div>1. most OPs allow you to specify something like "Remember this decision" — which means that you don't want to be asked the next time that RP tries to sign you in again. This keeps this flow in your control (as checkid_immediate would fail).</div>
</div>2. Since you must manually associate or link your accounts, you shouldn't do so if you don't want the automatic sign in behavior. In other words, unless you've already linked your Google and Facebook account, you won't get the benefit of automatic sign in, so you do so intentionally.<br>
<br clear="all">There does appear to be a need to better specify, from a user experience and language perspective, how to handle the "public terminal" (what I call the "Apple store situation") case, where the browser session might be shared or accessed by other people.<div>
<br></div><div>Still, that's largely covered by links that say things like "Not [other person's name]? Sign in as a different user."<br><div><br></div><div>This doesn't prevent someone from access your account or pretending to be you, but if someone wants to hack in to your account, they'll figure it out somehow — leaving yourself signed in accidently is probably more of an annoyance for someone else that wants to access her account than a real security issue that can be addresses technologically (besides having best practices around time out and stuff like that).</div>
<div><br></div><div>Chris</div><div><br>-- <br>Chris Messina<br>Open Web Advocate<br><br><a href="http://factoryjoe.com" target="_blank">factoryjoe.com</a> // <a href="http://diso-project.org" target="_blank">diso-project.org</a> // <a href="http://openid.net" target="_blank">openid.net</a><br>
This email is: [ ] bloggable [X] ask first [ ] private<br>
</div></div>
<br>_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
<br></blockquote></div><br>