I still worry about end-user experience, privacy, and OpenID
usefulness to RPs running non-trivial services.

Can someone outline how user privacy gets maintained? (and what, if
anything, a user needs to do and/or understand to support this?)

Would any RP handling, say, credit-card data, be comfortable with
adopting the proposed spec?  Think: Amazon, wanting to re-authenticate
upon purchase.

Is my understanding accurate: OpenID is unable to support single sign
on.  If not - lets assume it's 9am.  I just signed on.  I can visit
RP#1 then RP#2 then RP#3 and go back and forth all day without
hindrance, until I next sign off - yes?

Privacy: during any hypothetical overheard lunchtime conversation
between The CEO of RP#1 and the CEO of RP#2 - nobody's ever going to
hear this fragment of conversation: "... yeah - that troublemaker is
one of our users too ..." - or are they?

Sorry to harp on about the fundamentals.  I'm not so sure the
under-hood work is as important as the "big picture", and I don't
think we've got this last bit right yet.

Kind Regards,
Chris Drake,

specs mailing list

Reply via email to