"This is user's URI" for Assertion Quality Extension

Drummond Reed drummond.reed at cordance.net
Fri Sep 5 19:21:44 UTC 2008 

Shade, your use case seems to have three built-in assumptions:

1) A directed identity URI is not a "real" URI.

2) Users who want to use a directed identity URI are second-class users of a
site vs. those who do not.

3) The goal of OpenID is to get users to use a single URI at all sites.

I would submit that all three are false:

1) A directed identity URI is as valid a URI as any other URI for the user.
It can be used to discover other services or exchange attributes or anything
else a non-directed identity URI can do.

2) The fact that a directed identity URI helps preserve the user's privacy
should in no way be construed that they should be a second-class citizen of
a site.

3) I've had people tell me that without directed identity being added in
OpenID 2.0, OpenID was so privacy-unfriendly that adoption would hit a wall.


So in short, rather than directed identity URIs being treated as
second-class, there is every reason for a privacy-protecting site not to
discriminate against them at all.

=Drummond 

> -----Original Message-----
> From: specs-bounces at openid.net [mailto:specs-bounces at openid.net] On Behalf
> Of SitG Admin
> Sent: Friday, September 05, 2008 1:15 AM
> To: Martin Atkins
> Cc: specs at openid.net
> Subject: Re: "This is user's URI" for Assertion Quality Extension
> 
> >What's the use-case?
> 
> If the RP doesn't care about distinguishing between users that have
> accounts at a site but identify themselves as such anonymously, it
> can reclassify them as "users that have accounts at a site",
> consolidating what could be a large number of identities into a
> single account. (This is largely a convenience for the Relying
> Parties, reducing database clutter but perhaps the performance hit
> wouldn't be noticed anyway?)
> 
> RP's may want to discriminate between users that use a "real" URI and
> those that only use OpenID anonymously, just as users may want to
> experiment with new sites using a unique (randomly generated) URI
> that can't be associated with their accounts elsewhere, and then use
> their main URI if they decide they like the RP's services. (I'm
> hoping that others here will volunteer their own specific use-cases
> or what they *could* do with such information were it asserted by an
> OP.)
> 
> One form of discrimination could be encouraging users to have a
> "real" URI by giving them more features - reward them for adapting to
> the Web 2.0 model and using their OpenID around the web. Another
> could be swifter expiration of new accounts under the presumption
> that new users who use an anonymous URI are just experimenting with
> the service (this would be both a performance convenience for RP's as
> described above, and a complement of the encouragement more
> immediately above, instead *dis*-couraging users from using an
> anonymous URI for long-term use). (Since a user could still create
> multiple accounts on one or more sites and use each of them as a
> "real" URI; such discrimination wouldn't reduce the user's ability to
> compartmentalize their identity and maintain privacy.)
> 
> -Shade
> _______________________________________________
> specs mailing list
> specs at openid.net
> http://openid.net/mailman/listinfo/specs

More information about the specs mailing list