Hi All,

The Simple Registration Extension provides an interface for the RP to pass the OP a link to the RP's privacy policy in the authentication request. According to the SREG spec, OPs SHOULD display this URL to the End User if it is given.

http://openid.net/specs/openid-simple-registration-extension-1_1-01.html#anchor3

Although Attribute Exchange is intended to be be a superset of SREG, the AX 1.0 spec omitted this feature. Some OPs (like Yahoo) believe that it's important to link to the RP's privacy policy, so it's unfortunate that this parameter was left out of AX. We think it's important that there's an automated way for an RP to inform the OP about its privacy policy without requiring the RP to pre-register itself with the OP.

Arguably, the RP's privacy policy is relevant even if there's no SREG/AX involved, so perhaps it doesn't make sense to require the RP to use SREG/AX to pass its privacy policy to the OP.

Given that the intent of the openid.sreg.policy_url parameter in SREG is to define an interface for the RP to ask the OP to link to the RP's privacy policy on the OP's UI, it seems that this feature could be included in the OpenID User Interace Extension, which is intended to allow the RP to influence aspects of the OP's UI.

Alternatively, the RP could publish its privacy policy in its discovery document, which does make a lot of sense, but I understand that there's a lot of work going on to define the next generation of discovery, and I'm not quite sure what the timeframe is for that.

Comments?
Allen

.


_______________________________________________
specs mailing list
specs@openid.net
http://openid.net/mailman/listinfo/specs

Reply via email to