Trust/threat model for OpenID

Dick Hardt dick at
Tue Aug 1 05:08:34 UTC 2006


In our implementations of a Homesite, we let the user select which  
persona they want to be at a new site. One of those is an "anonymous"  
persona that will have a unique URL for each site.

This lets the user decide on a site by site basis what is disclosed.

-- Dick

For those of you reading between the lines, Sxip is working on  
supporting OpenID 2.0 now that providing an IdP is possible.

On 31-Jul-06, at 2:32 PM, Johannes Ernst wrote:

> Drummond is on travel, I think, so I'll take the liberty to respond  
> to this ...
> What is and isn't the right default behavior on issues like this is  
> rather hard to determine, unfortunately.
> For example, those of us with a background in privacy would argue  
> that the default behavior MUST (as in uppercase-MUST) be separate  
> identifiers per party. In fact, many are arguing that the whole  
> idea of an identifier-based design (URLs, XRIs, any kind of  
> identifier) is very wrong in the first place.
> On the other hand, we see dramatic market uptake of services like  
> MySpace that are a correlator's and too-much-personal-information- 
> readily-available dream (as opposed to a privacy advocate's).  
> Closer to home, ClaimID and a number of other services wouldn't be  
> in existence if they hadn't seen a need/desire by a substantial  
> number of people to correlate more, rather than less, of their on- 
> line identity. The first thing you do there is enter all your  
> unique-identifiers-by-party and say they are all correlated.
> So I concur with Drummond: it needs to be a policy decision by the  
> implementor. Some will cater to one market, some to the other.  
> Specifications should work either way.
> Thanks,
> Johannes.
> On Jul 31, 2006, at 13:19, Ben Hyde wrote:
>> On Jul 31, 2006, at 1:15 PM, Drummond Reed wrote:
>>> As far as "the default behavior", that's not quite the
>>> right question:
>> I beg to differ :-).
>>> this is a feature that an OpenID IdP/i-broker either
>>> implements or not. If they've implemented it, a user can do  
>>> anonymous login
>>> simply by using the identifier of their IdP/i-broker. So it's up  
>>> to a user
>>> whether they want to be anonymous or not.
>> Right, agreed, assuming somebody demonstrates that it's  
>> implementable.
>> But really, isn't that the wrong design?
>>  - ben
> Johannes Ernst
> NetMesh Inc.
> <lid.gif>

More information about the yadis mailing list