Wow, good argument Andrew. Maybe we need to look into the percentages/chances that a user is already logged into one of the RP's. I mean if the chances that the user is already logged into "Facebook, Google, Microsoft, Yahoo (this is in alphabetic order)" is > 25%, then it might be worth while that we seriously consider this. Of course this heavily favors the big guys, but I think accepting reality might be in order here. What do you think?
On Mon, Dec 14, 2009 at 8:52 PM, Andrew Arnott <[email protected]>wrote: > I'm a bit concerned about the privacy aspect, but I'm sure regardless of > the future spec that OPs will be smart about giving the user the option to > "advertise" their login status at an OP to an untrusted RP. As I recall the > way Google resolved the privacy concern is actually giving each domain admin > the option to advertise or not to RPs. > > A standard addition to the protocol would be interesting, to be sure. > However, it doesn't make as much sense out of the context of Google Apps, > since that's the only host that represents very many OP endpoints, which is > what makes it interesting for the RP to poll with the question "hey, which > OPs is the user logged into?" > > From a UI standpoint, even if it were possible for the RP to meaningfully > ask the question (of someone) "what are all the OPs the user is logged > into?", I'm dubious about the value of an RP doing so. It wouldn't pass the > "my mom can login" test if she revisited an RP, and couldn't login because > her "Google" button was missing. It wouldn't occur to her that she has to > go to Google herself and log in there before she can log into the RP. Some > OPs do that today (like Verisign), by refusing to log a user in as part of > the OpenID flow, but it's not very user-friendly -- and that's when Verisign > appears at the RP in the first place. > > Just my 2 cents. > > -- > Andrew Arnott > "I [may] not agree with what you have to say, but I'll defend to the death > your right to say it." - S. G. Tallentyre > > > On Mon, Dec 14, 2009 at 7:09 AM, Santosh Rajan <[email protected]>wrote: > >> I agree with Andrew, and I think every OP must do the same. Or maybe we >> add that to the protocol. >> >> >> On Mon, Dec 14, 2009 at 8:17 PM, Andrew Arnott <[email protected]>wrote: >> >>> Nope, that's not it either. What I'm thinking of is an aid to pure login >>> UI -- nothing to do with OAuth. And again, *Google* is supplying the >>> list of Google Apps domains the user is logged into -- not the RP asking for >>> each specific domain. >>> >>> -- >>> Andrew Arnott >>> "I [may] not agree with what you have to say, but I'll defend to the >>> death your right to say it." - S. G. Tallentyre >>> >>> >>> On Mon, Dec 14, 2009 at 6:32 AM, Chris Obdam <[email protected]>wrote: >>> >>>> > The solution Dirk/Breno spoke of (as I recall) was a single URL that >>>> would return all google apps for domains the user is logged into. >>>> Ok, clear. Is this the one? >>>> > openid.ext2.scope - (required) List of URLs identifying the Google >>>> service(s) to be accessed. See documentation for the services of interest >>>> to >>>> get scopes must be space-delimited and properly escaped. This parameter is >>>> not defined in the OAuth standards; it is a Google-specific parameter. >>>> >>>> Cheers, >>>> >>>> Chris Obdam >>>> Stichting OpenID NL (Dutch OpenID foundation) >>>> >>>> > -- >>>> > Andrew Arnott >>>> > "I [may] not agree with what you have to say, but I'll defend to the >>>> death your right to say it." - S. G. Tallentyre >>>> > >>>> > >>>> > On Mon, Dec 14, 2009 at 6:14 AM, Chris Obdam <[email protected]> >>>> wrote: >>>> > Andrew, >>>> > >>>> > That sounds a lot like de openid.ui.x-has-session variable David >>>> mentioned earlier today? >>>> > >>>> > More info on >>>> http://svn.openid.net/repos/specifications/user_interface/1.0/trunk/openid-user-interface-extension-1_0.htmland >>>> > http://code.google.com/intl/nl-NL/apis/accounts/docs/OpenID.html >>>> > >>>> > Cheers, >>>> > >>>> > Chris Obdam >>>> > Stichting OpenID NL (Dutch OpenID foundation) >>>> > >>>> > Op 14 dec 2009, om 14:54 heeft Andrew Arnott het volgende geschreven: >>>> > >>>> > > At IIW, Google mentioned that they are trying out a way for Google >>>> Apps domains to advertise to RPs that the user is logged into them so that >>>> RPs can show a "log into puffypoodles.com" option. Where can we find >>>> documentation on how that works? >>>> > > >>>> > > Thanks. >>>> > > -- >>>> > > Andrew Arnott >>>> > > "I [may] not agree with what you have to say, but I'll defend to the >>>> death your right to say it." - S. G. Tallentyre >>>> > > _______________________________________________ >>>> > > specs mailing list >>>> > > [email protected] >>>> > > http://lists.openid.net/mailman/listinfo/openid-specs >>>> > >>>> > >>>> >>>> >>> >>> _______________________________________________ >>> specs mailing list >>> [email protected] >>> http://lists.openid.net/mailman/listinfo/openid-specs >>> >>> >> >> >> -- >> http://hi.im/santosh >> >> >> > -- http://hi.im/santosh
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
