2 Jul 09:58
Re: [OpenID] OpenID and SSO
From: Leon Kuunders <leon <at> kuunders.info>
Subject: Re: [OpenID] OpenID and SSO
Newsgroups: gmane.comp.web.openid.general
Date: 2008-07-02 07:58:36 GMT
Subject: Re: [OpenID] OpenID and SSO
Newsgroups: gmane.comp.web.openid.general
Date: 2008-07-02 07:58:36 GMT
Think about IP addresses: are they personal information? If so, and following the train of thought mentioned by Dick, a user would not be able to choose to share information without sharing this information. So I guess this discussion comes down to the difference between logging in (offer credentials) and profiling (offer personal information). These two can, but do not have to be, the same: credentials are not necessary personal information. "Click to proceed" would result in "profiling", not "authentication", so SSO can be invisible to the user. my 2$, --Leon. Dick Hardt wrote: > I think the contractual and privacy issues will require a click to > login. EU and Canadian privacy laws require the user to have consented > to acquiring personal information. Similar to the EULA licenses users > have to actively do something with. > > Since it is impossible to know how the user truly arrived at a page, > and users can arrive at a page without having actively chose to, the > site needs the user to actively do something to acknowledge they want > to share information and not be pseudonymous. > > On 1-Jul-08, at 1:47 AM, SitG Admin wrote: > >>> Users do not want to login. Really, they don't. >>> >>> Therefore you can measure the success of SSO by counting the >>> dissapearing >>> login "buttons" or "links" on websites who do offer user centric >>> (profiling) >>> services. >> >> A vital question here, then, is whether the user values privacy >> enough to forgo this level of convenience. Short of opting to >> automatically grant all RP requests (and never prompt user for >> re-authentication to the OP - it can still expire, just don't bother >> the *user* with renewing it), there is no way to "intelligently" >> practice selective login for the user. >> >>> "Click to proceed", yes, >> >> There shouldn't even be that, though. Just go to the site and see the >> page. No matter how much you abstract the process of authenticating, >> if they have to take steps to have the service recognize them then >> it's a login. >> >> -Shade >> _______________________________________________ >> general mailing list >> general <at> openid.net >> http://openid.net/mailman/listinfo/general > >
RSS Feed