On having your private data cached: the current web model allows businesses to simply own your data into a database, correlate it across multiple databases (doubleclick) and so on.
I think that to expect them to give up this privilege (and revenue stream from targeted advertising) is unrealistic, and caching OpenID data is necessary for them to do so. Therefore, I'd suggest that OpenID examines the various schemes for providing a "Terms of Service" **from the user end** on access to personal data: "by accessing my address, you attest that you will not 1> store it for more than 30 days after our business transaction is complete, 2> share it with anybody else" and so on. I seem to remember that somebody had a language for expressing those kinds of privacy preferences in a machine readable form but I'm not having any luck remembering who it was... Possibly the XRI folks know? At least at that point, users can use the penalty clause on that "shrinkwrap license" on their personal data to sue scumbags ("and if you break these rules, you pay me $500.") HIPPA may also help. Vinay _______________________________________________ specs mailing list specs@openid.net http://openid.net/mailman/listinfo/specs