OpenID Single-Sign-Off

Martin Atkins mart at degeneration.co.uk
Fri Jul 1 16:57:19 PDT 2005


Kristopher Tate wrote:
> 
> If we are never going to propose or accept a single sign-off mode, then 
> atleast we need standards/guidelines written in the spec explaining good 
> practices for both ID servers and consumers to deal with session data.
> 

I think this is the most workable approach. Fix this as a social/policy 
problem, rather than a technical one.

Some guidelines for consumers as a start:
* Make OpenID logins default to "until browser closes" cookies. 
Optionally allow users to switch to a more permanent mode if they wish. 
(Server-side, this could be implemented in a number of ways which we 
shouldn't try to force.)
* Make it obvious to a user that they are logged in and which identity 
they are logged in as at all times, or at least wherever possible.



More information about the yadis mailing list