Op 15 dec 2009, om 18:12 heeft Breno de Medeiros het volgende geschreven: >> >> So could you please clarify whether you are saying you agree with John's >> intended main point, that OPs could (should?) address this with a privacy >> mechanism (in which case I'm curious whether you think the foundation and >> spec >> should require or encourage such mechanisms) *or* whether you think the >> DOM/JS flaw means OpenID shouldn't worry about user privacy? >> > > I think John's point is that the mechanism to protect privacy should > be optionally available to OPs: There should be a rule to allow OPs to > push this information without user consent. With 'a rule' you mean, part of OpenID somewhere? If so, I agree.
> John anchored this point on the fact that the information is already > available via DOM/JS tricks. I think that these DOM/JS tricks are not > difficult to be fixed on the client side so I would prefer not to make > arguments for how to move forward based on accidental circumstances. > Regardless of the justification, one could argue that OPs should not > be mandated to implement the privacy solution because they may know > better what their consumers want. The OP chooses for the consumer? That shouldn't be the case? > That is good as it goes, but we should still make sure that the design makes > it easy for RPs to > implement the privacy issue, What do you mean with privacy issue. That the consumer has a setting with the OP to expose the OpenID session or not? > because if it becomes an issue of technical complexity (as opposed to finding > out what users want) and > there's a loophole (it's optional), then it will likely not be implemented. Therefor I think it should be offered by the OP. People can choose what they want to expose. If that is switch on by default is something else. > The risk of having no privacy story is a backlash that results in the > baby being thrown out with the bath water. What do you mean with 'no privacy story?' I want the consumer to control whether my logged-state is exposed or not. Ideally, I want to be asked when registering if i want 'expose my logged-in-state'. _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
