SREG's Privacy Policy URL
Allen Tom
atom at yahoo-inc.com
Tue Jun 2 17:21:42 UTC 2009
Hi All,
The Simple Registration Extension provides an interface for the RP to
pass the OP a link to the RP's privacy policy in the authentication
request. According to the SREG spec, OPs SHOULD display this URL to the
End User if it is given.
http://openid.net/specs/openid-simple-registration-extension-1_1-01.html#anchor3
Although Attribute Exchange is intended to be be a superset of SREG, the
AX 1.0 spec omitted this feature. Some OPs (like Yahoo) believe that
it's important to link to the RP's privacy policy, so it's unfortunate
that this parameter was left out of AX. We think it's important that
there's an automated way for an RP to inform the OP about its privacy
policy without requiring the RP to pre-register itself with the OP.
Arguably, the RP's privacy policy is relevant even if there's no SREG/AX
involved, so perhaps it doesn't make sense to require the RP to use
SREG/AX to pass its privacy policy to the OP.
Given that the intent of the openid.sreg.policy_url parameter in SREG is
to define an interface for the RP to ask the OP to link to the RP's
privacy policy on the OP's UI, it seems that this feature could be
included in the OpenID User Interace Extension, which is intended to
allow the RP to influence aspects of the OP's UI.
Alternatively, the RP could publish its privacy policy in its discovery
document, which does make a lot of sense, but I understand that there's
a lot of work going on to define the next generation of discovery, and
I'm not quite sure what the timeframe is for that.
Comments?
Allen
.
More information about the specs
mailing list