If I was building an RP, I would definitely download and cache the profile image for the privacy and security reasons that you stated.
However, many RPs have asked if they can directly link to the profile pic, because image hosting costs money, and downloading and caching requires work and effort. Also, some RPs would like to have the image automatically updated if the user changes it. With the current Yahoo AX implementation, RPs can deep link to the profile image if they want to, however, the image could be deleted if the user changes their picture, resulting in a broken image. For the purposes of interop, it would be good to clarify what RPs should do with the Profile Image url. Allen On 12/9/09 9:05 PM, "SitG Admin" <[email protected]> wrote: >> One of the things that I'd like to clarify in AX 1.1 is whether or >> not RPs should be able to deep link directly to the profile pic, or >> if they're expected to download and cache it themselves. Also, if >> RPs are able to deep link to the profile pic, then we should also >> define whether or not the content of the URL be updated when the >> user updates their pic. > > RP's should be able to cache it themselves; if you let me specify an > avatar URL at any server I control, anyone who views a page with my > avatar on it will probably be sending me referer metadata that can > let me track/identify them :( > > -Shade _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
