On 2005/07/01, at 2:28 PM, Carl Howells wrote:


<excerpt>It seems that the underlying issue with using very low token
expiration times to implement single signoff is that you are
essentially creating a polling system to detect signoff.  Something
like that creates a lot of unnecessary traffic, and might be a real
issue for some higher-use id servers.<color><param>0000,6361,1210</param>

</color>

I don't know if there is any real relevance in this discussion at this
point, since it depends on how the larger debate over this goes.  Even
so, I think a polling approach to single signoff isn't the way to go.


Carl

</excerpt>

You are right that polling is not the way to go, but instead, why not
just wait until the ID server sends an http-post that tells the
consumer to remove all session info on your user. Of course there
would have to be safe-gaurds in this approach. One being if the ID
server is really the ID server who governs over that id.


I guess it should be said like this: It's debatable on how we're going
to get there, but even still, what's easiest for the user? Easily
logging into everywhere he or she goes and sluggishly going through
many consumer UIs to logout. Or, easily logging in and then logging
out through through their ID server, where they are very comfortable
with one UI -- the ID server's UI.


If you think it's a hassle to log-in with many systems, why make it a
hassle to log-out everywhere? OpenID should be a full-circle, complete
solution! This single sign-on only stuff is really silly.


-Kris