Once more, LJ valid_to timespan.

Kristopher Tate kris at bbridgetech.com
Sun Jul 3 10:58:58 PDT 2005


On 2005/07/02, at 0:29 AM, Brad Fitzpatrick wrote:
> On Sat, 2 Jul 2005, Jean-Luc Delatre wrote:
>
>> Kristopher Tate wrote:
>>
>>>
>>> If you think it's a hassle to log-in with many systems, why make it a
>>> hassle to log-out everywhere? OpenID should be a full-circle, 
>>> complete
>>> solution! This single sign-on only stuff is really silly.
>>
>>
>> Oh, Yeah?
>> So, when you log off any one of the visited sites you log off *all* ?

Yes and No.

>>
>> It seems to me that the purpose of a (may be misnomed) Single Sign On 
>> is
>> not to escape the login/logout dialogs
>> but to avoid password proliferation or dissemination and to share an
>> identity or somesuch weaker ID.
>
> I'm with your school of thought.
>
> - Brad

The reason I brought "Single Sign-Off/Out" to everyone's attention was 
not necessarily to propose an OpenID mode that logs a user out of all 
sites but instead underline the lack of policies and guidelines 
regarding the other half of Logging-in.

And with that notion of a lack of guidelines, why I feel so strong 
about this is because my company has a particular initiative dubbed 
"Transparent Communication".

So, what does transparent communication have to do in regards to 
OpenID? It means that a user doesn't have to know all sorts of dialogs, 
warnings, buttons, and signs. That when they want to communicate or 
even login, everything works the way the user might expect. Think of it 
like Windows or Mac OS. There are certain things that a user has to get 
comfortable with, but once that has happened, a user is more likely to 
know what's going on. For us, Instead of being tied to a certain OS, we 
figure that our partners and technologies should be so familiar that 
it's more of a pleasure to use than a confusion -- that it becomes 
transparent.

On our SSO WebKit, users login with a familiar button. When they decide 
to logout, they are taken to a page on mylevel9.com which asks them if 
they would like to either logout of that particular site, or logout of 
the framework completely.

Our login box also has different settings to ensure that if a user is 
on a public computer, no matter what amount of time that they choose to 
remain logged-in, if the browser closes, their session is removed.

In summery, I wanted to shed light on what everyone expects regarding 
logout, and coincidentally the vaild_to parameter. I particularly like 
to view, from a glance, where I'm logged in; and we've done that with 
Level9 (take a look at our R3 persona center: 
<http://images.bbridgetech.com/kris/level9_persona_firstlook.gif>). 
And, in the end, I wanted to see that _at least_ we had guidelines in 
the OpenID spec regarding logging-out practices.

Other than that, I'm excited to say that my partner and I have figured 
how to get OpenIDs into our framework in a really nifty way. I can't 
wait until you all will be able to do that.

I certainly hope that everyone celebrating July 4th has a safe, fun, 
and enjoyable holiday.

More anon,

-Kris



More information about the yadis mailing list