2 Jul 19:46
Re: [OpenID] OpenID and SSO
From: Peter Williams <pwilliams <at> rapattoni.com>
Subject: Re: [OpenID] OpenID and SSO
Newsgroups: gmane.comp.web.openid.general
Date: 2008-07-02 17:46:59 GMT
Subject: Re: [OpenID] OpenID and SSO
Newsgroups: gmane.comp.web.openid.general
Date: 2008-07-02 17:46:59 GMT
Its establishing that sso des not preclude one being invited or required to confirm the release of the cached web credentials to an rp,busing some ui step. Its very nice that windows sends your credentials automatically to the lan printer also on the domain, so you don't have to provide your pasword again merely to print. But, this is the only model of sso, and websso in particular. -----Original Message----- From: Dick Hardt <dick <at> sxip.com> Sent: Wednesday, July 02, 2008 9:18 AM To: leon <at> kuunders.info <leon <at> kuunders.info> Cc: general <at> openid.net <general <at> openid.net> Subject: Re: [OpenID] OpenID and SSO I'm unclear now on where this thread is going ... :) fwiw: my point was that providing the user something to click rather then type is more desirable -- and propose that for OpenID, letting the user cick something to login is a desirable end goal wrt. below, implicit in a "Click to proceed" is telling the site that you are a specific entity -- so you effectively have signed on. -- Dick On 2-Jul-08, at 12:58 AM, Leon Kuunders wrote: > Think about IP addresses: are they personal information? If so, and > following the train of thought mentioned by Dick, a user would not be > able to choose to share information without sharing this information. > > > So I guess this discussion comes down to the difference between > logging > in (offer credentials) and profiling (offer personal information). > These two can, but do not have to be, the same: credentials are not > necessary personal information. > > > "Click to proceed" would result in "profiling", not "authentication", > so SSO can be invisible to the user. > > > my 2$, --Leon. > > > > Dick Hardt wrote: > >> I think the contractual and privacy issues will require a click to >> login. EU and Canadian privacy laws require the user to have >> consented >> to acquiring personal information. Similar to the EULA licenses users >> have to actively do something with. >> >> Since it is impossible to know how the user truly arrived at a page, >> and users can arrive at a page without having actively chose to, the >> site needs the user to actively do something to acknowledge they want >> to share information and not be pseudonymous. >> >> On 1-Jul-08, at 1:47 AM, SitG Admin wrote: >> >>>> Users do not want to login. Really, they don't. >>>> >>>> Therefore you can measure the success of SSO by counting the >>>> dissapearing >>>> login "buttons" or "links" on websites who do offer user centric >>>> (profiling) >>>> services. >>> >>> A vital question here, then, is whether the user values privacy >>> enough to forgo this level of convenience. Short of opting to >>> automatically grant all RP requests (and never prompt user for >>> re-authentication to the OP - it can still expire, just don't bother >>> the *user* with renewing it), there is no way to "intelligently" >>> practice selective login for the user. >>> >>>> "Click to proceed", yes, >>> >>> There shouldn't even be that, though. Just go to the site and see >>> the >>> page. No matter how much you abstract the process of authenticating, >>> if they have to take steps to have the service recognize them then >>> it's a login. >>> >>> -Shade >>> _______________________________________________ >>> general mailing list >>> general <at> openid.net >>> http://openid.net/mailman/listinfo/general >> >> > _______________________________________________ > general mailing list > general <at> openid.net > http://openid.net/mailman/listinfo/general _______________________________________________ general mailing list general <at> openid.net http://openid.net/mailman/listinfo/general
RSS Feed