Hi Allen,<br><br>Just my two cents on the multiple personas at a single OP... the OpenID security best practices document that was just published mentioned that RPs are encouraged to not use persistent session cookies, but rather persistent OpenID Claimed Identifier cookies, so that each time the user visits an RP, he can be automatically logged in if and only if he is logged into the OP. This sounds like a good paradigm to work toward.<br>
<br>But it won't work so well if users are forced to have multiple accounts at the OPs in order to manage their multiple personas. For instance, if I must have two Yahoo accounts to manage my two personas, then I can only be logged into one of them at once, which forces me to keep logging into "the other one" each time I visit an RP that happens to use a different persona than the last RP I visited.<br>
<br>Contrast that to Yahoo supporting multiple personas: I'm logged into all of them at once, so no matter which RP I visit as a Yahoo! customer, Yahoo can implicitly log me into those RPs regardless of which claimed_id and/or persona from Yahoo I used to log in with them.<br>
<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
<br><br><div class="gmail_quote">On Thu, Jun 18, 2009 at 5:47 PM, Allen Tom <span dir="ltr"><<a href="mailto:atom@yahoo-inc.com">atom@yahoo-inc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Noel,<br>
<br>
Thanks for sending the link to your blog post.<br>
<br>
Given that many people already have multiple email addresses for different uses and personas, is it really necessary for OpenID Providers to give users the option of using different OpenIDs when using the same account to sign into different websties?<br>
<br>
Users who already understand the concept of having multiple accounts for different purposes can just use different accounts for each persona (perhaps even using different OPs). OpenID enabled accounts are freely and easily available from many major identity providers, and encouraging users who do not want their identities correlated across multiple websites to just use a different account is probably a lot safer from a security and privacy perspective than expecting users to use a single account with a single OP, with multiple OpenIDs.<br>
<font color="#888888">
<br>
Allen</font><div class="im"><br>
<br>
<br>
<br>
Dickover, Noel, CTR, NII/DoD-CIO wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
I wrote a blog post on my thoughts for Privacy as it affects Open<br>
Government initiatives, and how OpenID could potentially help in the<br>
future. They liked it enough that they asked to repost it on the<br>
PrivacyDC blog. The link is here if anyone wants to give me some<br>
thoughts on it:<br>
<br>
<a href="http://privacycamp.wordpress.com/2009/06/16/gov2-0-privacy-issues-for-pr" target="_blank">http://privacycamp.wordpress.com/2009/06/16/gov2-0-privacy-issues-for-pr</a><br>
ivacycampdc/<br>
<br>
<br>
</blockquote>
<br></div><div><div></div><div class="h5">
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br>