Adoption questions
Kevin Turner
kevin at janrain.com
Fri Oct 6 18:17:44 UTC 2006
On Fri, 2006-10-06 at 13:26 +1000, Chris Drake wrote:
> Is my understanding accurate: OpenID is unable to support single sign
> on. If not - lets assume it's 9am. I just signed on. I can visit
> RP#1 then RP#2 then RP#3 and go back and forth all day without
> hindrance, until I next sign off - yes?
This depends almost entirely on the configuration of the RPs involved,
but I think the situation you describe is quite doable.
> Privacy: during any hypothetical overheard lunchtime conversation
> between The CEO of RP#1 and the CEO of RP#2 - nobody's ever going to
> hear this fragment of conversation: "... yeah - that troublemaker is
> one of our users too ..." - or are they?
Being able to identify troublemakers across sites is one of the chief
features of a system like OpenID. It's what enables reputation systems
and helps content providers break out of silos. However, if as a user,
you don't like that feature, you can use directed identity with OpenID.
This requires using an IdP with enough other users to provide you with
some degree of anonymity -- if you run your own IdP, and are causing
enough trouble to draw attention to yourself, they're likely to figure
out that everyone using that IdP is you, no matter how many different
identifiers you have it assert.
Then you provide different identifiers to RP#1 and RP#2. Under OpenID
1.x this is rather cumbersome to do without custom tools in the user
agent, but OpenID 2.0 enables IdP-driven identifier selection, which
means your IdP can help you keep track of which identifier you provide
to which RP.
Also keep in mind that, even in the absence of any global user
identifier scheme, the Internet presents other challenges to complete
anonymity, e.g. your IP address. The level of technical understanding
and aptitude required to avoid detection by those basic means will
probably place it out of reach of most casual users.
and, as an aside, for a fun read about just what can be done with your
IP address in the hands of an outfit like the RIAA's legal team, see
http://digitalmusic.weblogsinc.com/2006/08/07/the-riaa-vs-john-doe-a-laypersons-guide-to-filesharing-lawsui/
More information about the specs
mailing list