> > So could you please clarify whether you are saying you agree with John's > intended main point, that OPs could (should?) address this with a privacy > mechanism (in which case I'm curious whether you think the foundation and spec > should require or encourage such mechanisms) *or* whether you think the > DOM/JS flaw means OpenID shouldn't worry about user privacy? >
I think John's point is that the mechanism to protect privacy should be optionally available to OPs: There should be a rule to allow OPs to push this information without user consent. John anchored this point on the fact that the information is already available via DOM/JS tricks. I think that these DOM/JS tricks are not difficult to be fixed on the client side so I would prefer not to make arguments for how to move forward based on accidental circumstances. Regardless of the justification, one could argue that OPs should not be mandated to implement the privacy solution because they may know better what their consumers want. That is good as it goes, but we should still make sure that the design makes it easy for RPs to implement the privacy issue, because if it becomes an issue of technical complexity (as opposed to finding out what users want) and there's a loophole (it's optional), then it will likely not be implemented. The risk of having no privacy story is a backlash that results in the baby being thrown out with the bath water. _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
