Users on Public Computers

Terrell Russell terrellrussell at gmail.com
Tue Nov 7 18:53:26 UTC 2006 

Joshua Viney wrote:
> I see a single-sign-out function
> being the counterpoint to a single-sign-on. If the OpenID spec makes
> recommendations concerning the sign-in feature, can it make
> recommendations re: the sign-out feature as well, or at least support
> the feature if it is implementation specific? It seems that there would
> need to be some protocol level support for single-sign-out.
> 

This does seem at least a point for more discussion.  The argument that
there should be a recommendation in the spec and some basic support for
such a thing at the protocol level makes sense.  Even if the
recommendation is to not have any support.


>     Again I find myself making a suggestion about the browser layer...
> (Terrell)
> 
> Re: a browser-level solution is very interesting, but may have too many
> dependencies. I would think there would have to be consideration for
> multiple browsers (IE included), backwards compatibility, and pretty
> constant support. Also, I've found that users do not use their browsers.
> By that I mean that users tend to focus on the sites they browse not the
> browser they use to access those sites. I have seen as high as 20%
> click-through from Google for keywords that include a complete site
> address (www.yoursitenamehere.com) on a site with over 10 million
> registered members. That number translates to people knowing where they
> want to go and instead of entering the address in the address bar, they
> enter it into Google. That being said, if done right, a browser-level
> single-sign-out *could* make for a smoother user experience. In general
> though, I would prefer to be able to solve this problem before jumping
> outside the RPs' sites themselves.

I'm not sure what today's users have to do with this...  It's more about
what the better answer is, right?  Tomorrow's users are different than
today's - by definition.  Nobody had a Google toolbar 5-6 years ago -
and now it's nearly everywhere.  Before that, nobody checked their
little lock icon for https.  Now they do.

As for backwards compatibility?  There is none to worry about.
Backwards compatible just means it works like it does today (or rather,
doesn't, as the example illustrates).  If a browser is ignorant of
OpenID in the future (pointing at you IE), then it's the same as it is
today.

All that said, if there *is* a recommendation of how to handle  IdP
sign-out at the consumer-site level in the spec itself, we can attack
the problem from both ends.  Those with smart/fluent browsers will see
relevant OpenID feedback all the time - and those without will see
iconography and functionality perhaps on the OpenID-enabled site they're
visiting.

Terrell
http://claimID.com

More information about the user-experience mailing list