Discovery of an OpenID session at an OP

Tue Dec 15 17:25:51 UTC 2009

Op 15 dec 2009, om 18:12 heeft Breno de Medeiros het volgende geschreven:

>> 
>> So could you please clarify whether you are saying you agree with John's
>> intended main point, that OPs could (should?) address this with a privacy
>> mechanism (in which case I'm curious whether you think the foundation and spec
>> should require or encourage such mechanisms) *or* whether you think the
>> DOM/JS flaw means OpenID shouldn't worry about user privacy?
>> 
> 
> I think John's point is that the mechanism to protect privacy should
> be optionally available to OPs: There should be a rule to allow OPs to
> push this information without user consent.
With 'a rule' you mean, part of OpenID somewhere?
If so, I agree.

> John anchored this point on the fact that the information is already
> available via DOM/JS tricks. I think that these DOM/JS tricks are not
> difficult to be fixed on the client side so I would prefer not to make
> arguments for how to move forward based on accidental circumstances.
> Regardless of the justification, one could argue that OPs should not
> be mandated to implement the privacy solution because they may know
> better what their consumers want.
The OP chooses for the consumer? That shouldn't be the case?

> That is good as it goes, but we should still make sure that the design makes it easy for RPs to
> implement the privacy issue,
What do you mean with privacy issue. That the consumer has a setting with the OP to expose the OpenID session or not?

> because if it becomes an issue of technical complexity (as opposed to finding out what users want) and
> there's a loophole (it's optional), then it will likely not be implemented.
Therefor I think it should be offered by the OP. People can choose what they want to expose. If that is switch on by default is something else.

> The risk of having no privacy story is a backlash that results in the
> baby being thrown out with the bath water.
What do you mean with 'no privacy story?' I want the consumer to control whether my logged-state is exposed or not.

Ideally, I want to be asked when registering if i want 'expose my logged-in-state'.