I think encoding attributes into identifiers has proved to be a bad idea in the past.

Attributes like group membership belong in AX, not in the identifier.

I suspect the idea is to have a pseudonymous identifier that discloses nothing about the person using it other than the fact that they can assert the same ID each time they return to prevent correlation.

This was one of Kim Camerons laws of identity regarding minimal disclosure.

Info-card takes this approach with personal cards using a PPID + public key that allows a totally pseudonymous identity to be asserted.

I think Google is on the right track using AX to assert identity information like email but keeping the openID itself non- correlatable. It also leaves open a path for users moving between OP's if the important part of the assertion is not the URL itself.

I think users should have the option to use both correlatable and non- correlatable identities as appropriate, and wish more OPs supported it.

John Bradley
On 13-May-09, at 12:07 PM, specs-requ...@openid.net wrote:

Date: Tue, 12 May 2009 23:13:01 -0700
From: Luke Shepard <lshep...@facebook.com>
Subject: Re: Requiring Pseudonymous Identifier
To: Martin Atkins <m...@degeneration.co.uk>, OpenID Specs Mailing List
        <specs@openid.net>
Message-ID: <c62fb2fd.bceb%lshep...@facebook.com>
Content-Type: multipart/alternative;
        boundary="_000_C62FB2FDBCEBlshepardfacebookcom_"

--_000_C62FB2FDBCEBlshepardfacebookcom_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Agreed. If all you want is a group, then I'd think that the response would =
just not include an identifier.

You could use an extension, perhaps AX, to request information about the gr=
oup a user belongs to.

For example, if you wanted to understand company membership, you could requ=
est and return only http://axschema.org/company/name.

On 5/12/09 11:08 PM, "Martin Atkins" <m...@degeneration.co.uk> wrote:

Chris Messina wrote:

So, imagine I use directed identity in a school application... when I sig=
n
in to the OP, it will return something like schoolname.edu/student as the
identifier.


Overloading our existing concept of an identifier to support identifying
a group worries me. Most consumers expect an identifier to be for a
person and are designed around this principle.

I think if groups are useful their design should be different such that
consumers are able to distinguish between a user and a group.

_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs


Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to