I still worry about end-user experience, privacy, and OpenID usefulness to RPs running non-trivial services.
Can someone outline how user privacy gets maintained? (and what, if anything, a user needs to do and/or understand to support this?) Would any RP handling, say, credit-card data, be comfortable with adopting the proposed spec? Think: Amazon, wanting to re-authenticate upon purchase. Is my understanding accurate: OpenID is unable to support single sign on. If not - lets assume it's 9am. I just signed on. I can visit RP#1 then RP#2 then RP#3 and go back and forth all day without hindrance, until I next sign off - yes? Privacy: during any hypothetical overheard lunchtime conversation between The CEO of RP#1 and the CEO of RP#2 - nobody's ever going to hear this fragment of conversation: "... yeah - that troublemaker is one of our users too ..." - or are they? Sorry to harp on about the fundamentals. I'm not so sure the under-hood work is as important as the "big picture", and I don't think we've got this last bit right yet. Kind Regards, Chris Drake, =1id.com _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs