<!doctype html public "-//W3C//DTD W3 HTML//EN">
<html><head><style type="text/css"><!--
blockquote, dl, ul, ol, li { padding-top: 0 ; padding-bottom: 0 }
--></style><title>Re: [OpenID] DotNetOpenAuth announces support of
the Gover</title></head><body>
<div>>It instantly struck me as an odd concern, this
"paranoia" when forcing users to communicate through an OP
that probably required a LOT of PII from the user (and may provide it
to "the government" upon request).</div>
<div>></div>
<div>>When I used "paranoid" it wasn't intended as a
derogatory term, but rather just the level of urgency with which they
considered privacy.</div>
<div><br></div>
<div>I hadn't thought it was, just the irony of being so committed to
it in one respect while ignoring a classic attack in another.</div>
<div><br></div>
<div>>assuming the OP doesn't store the generated
claimed_ids,</div>
<div><br></div>
<div>That's kind of the problem right there, yes. Why place major
corporations in a trusted position when UCI ought to let *users* speak
as to who *they* consider trustworthy for privacy? I mean, *whose*
privacy is at risk here?</div>
<div><br></div>
<div>>>Does the profile permit multi-user OP's to make
assertions about users for whom they have NOT collected any PII?</div>
<div>></div>
<div>>The profile makes no restrictions whatsoever (at least when I
last read an earlier draft) regarding what cares the OP has taken to
identify the user if I read it correctly.</div>
<div><br></div>
<div>Ahh . . . *blink* I can get certified if my OP indiscriminately
approves *everyone* who tries using it? Or did you mean what cares the
OP takes to correlate the user's information with external
sources?</div>
<div><br></div>
<div>-Shade may be reading this too late at night</div>
</body>
</html>