<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">The OP can send a PAPE response even if there is no PAPE request. <div><br></div><div>Yahoo is including PAPE in all there responses.</div><div><br></div><div>The PPID URI has a specific meaning with respect to correlation.</div><div><br></div><div>Some providers (like Yahoo) use identifiers that are still correlatable simply to hide the email address where that is tied to the account name.</div><div><br></div><div>I don't think those should return the PPID PAPE URI.</div><div><br></div><div>This gets more complicated as the number of possible identifier types for openID expands.</div><div>For the moment we have XRI, URL's that point to profile pages, URL that don't point to profiles.</div><div><br></div><div>If we were to allow other things as claimed_id in the future it gets more complicated.</div><div><br></div><div>Perhaps another way to ask the question is if the claimed_id points to profile info.</div><div><br></div><div>If it doesn't then there is no real reason to try and use it as the local "username"</div><div><br></div><div>We also need to consider what new users are likely to understand. The web site using a URL that points to a external profile page may be what we anticipate but it may be a surprise to a normal user.</div><div><br></div><div>While that may have been grate for the original blog commenting use case, I don't know that it holds true for many consumer sites now taking openID.</div><div><br></div><div>John B.</div><div><br><div><div>On 2009-10-29, at 12:48 PM, Andrew Arnott wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>A usability issue with OpenID is that while "<a href="http://blog.nerdbank.net/">blog.nerdbank.net</a>" makes for a reasonable "username" for an RP to display as I log in with my "vanity URL", my Google-given claimed_id at an RP is <i>not</i> suitable for display as my username. Rather than have RPs hard-code an increasing number of OPs that issue these, particularly since some OPs can issue PPIDs at some times and not others based on user preference, can we get OPs to somehow indicate with the assertion that the identifier is not intended for human consumption?</div>
<div><br></div><div>We already have a way: a PAPE authentication policy with this URI: (which comes from the ICAM OpenID 2.0 profile)</div><a href="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier">http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier</a><div>
<br></div><div>Can we get Google, and any other OPs that issue these identifiers, to includes this PAPE policy? </div><div><br></div><div>One possibility is to include this PAPE policy in the response if it was included in the request, but if an RP doesn't particularly want to <i>request</i> a PPID, but merely wants to know if it gets one, requesting this policy in PAPE doesn't seem appropriate.</div>
<div><br></div><div>Any other ideas?</div><div><br></div><div>--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre<br>
</div>
_______________________________________________<br>general mailing list<br><a href="mailto:general@lists.openid.net">general@lists.openid.net</a><br>http://lists.openid.net/mailman/listinfo/openid-general<br></blockquote></div><br></div></body></html>