<div class="gmail_quote">On Mon, Dec 14, 2009 at 11:21 AM, Peter Watkins <span dir="ltr"><<a href="mailto:peterw@tux.org">peterw@tux.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Mon, Dec 14, 2009 at 09:48:54AM +0100, Chris Obdam wrote:<br>
<br>
> I think there a no real privacy issues with this idea? Ok, you know from this anonymous user that he or she has an OpenID with XXX, but is that a bad thing?<br>
<br>
</div>Yes, it is a bad thing.<br>
<br>
1) Privacy. I want to be in control of what information RPs have about<br>
me. I see how you think it wouldn't be a big deal for someone to see that<br>
I'm logged in to Google and Flickr -- what does that really say about me,<br>
you think? Nothing, right? But imagine a group of ideologically simliar<br>
groups deciding to implement RP+OP to make it easier for like-minded<br>
individuals to use all their sites without relying on some mega-OP? I<br>
don't want the data-hungry folks at Facebook noticing that I'm logged<br>
in to the Greenpeace or National Rifle Association unless I explicitly<br>
approve letting Facebook know that.<br></blockquote><div><br></div><div>The OP should be able to opt-in to whatever mechanism is set up. (Note that even today, you may be able to use visited-link color hacks to determine what OPs a user has recently frequented; statistically speaking you can already get the information you're worried about.) </div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
2) Security. A malicious site could more intelligently target victims<br>
if it could ascertain what sites the victim is logged into. There's no<br>
need to attempt some online Gmail exploit if the malicious RP can tell<br>
that the victim isn't logged in to Google.<br></blockquote><div><br></div><div>Again, per above, I think this information is probably already available to <a href="http://evil.org">evil.org</a>, at least statistically speaking.</div>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<br>
I would hope that<br>
<br>
A) OPs would give each user control over whether this discovery was enabled<br>
for his account (and possibly to whom it was available).<br>
<br>
B) Any spec describing this would note that the OP SHOULD give each user<br>
the ability to disable this feature for their account and that the default<br>
for new users SHOULD be to not provide this information.<br>
<br>
BTW, this sounds a lot like what Luke Shepard of Facebook described wanting<br>
to add to checkid_immediate:<br>
<a href="http://www.sociallipstick.com/2009/04/?y%/lets-detect-logged-in-state/" target="_blank">http://www.sociallipstick.com/2009/04/?y%/lets-detect-logged-in-state/</a><br>
<a href="http://lists.openid.net/pipermail/openid-general/2009-May/018232.html" target="_blank">http://lists.openid.net/pipermail/openid-general/2009-May/018232.html</a><br>
<font color="#888888"><br>
-Peter<br>
</font><div><div></div><div class="h5"><br>
_______________________________________________<br>
specs mailing list<br>
<a href="mailto:specs@lists.openid.net">specs@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs</a><br>
</div></div></blockquote></div><br>