|
Fixing usability: can OPs indicate their claimed_id's are PPID's?
A usability issue with OpenID is that while " blog.nerdbank.net" makes for a reasonable "username" for an RP to display as I log in with my "vanity URL", my Google-given claimed_id at an RP is not suitable for display as my username. Rather than have RPs hard-code an increasing number of OPs that issue these, particularly since some OPs can issue PPIDs at some times and not others based on user preference, can we get OPs to somehow indicate with the assertion that the identifier is not intended for human consumption?
We already have a way: a PAPE authentication policy with this URI: (which comes from the ICAM OpenID 2.0 profile) http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
Can we get Google, and any other OPs that issue these identifiers, to includes this PAPE policy?
One possibility is to include this PAPE policy in the response if it was included in the request, but if an RP doesn't particularly want to request a PPID, but merely wants to know if it gets one, requesting this policy in PAPE doesn't seem appropriate.
Any other ideas?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
_______________________________________________
general mailing list
general@...
http://lists.openid.net/mailman/listinfo/openid-general
|
|
Re: Fixing usability: can OPs indicate their claimed_id's are PPID's?
The OP can send a PAPE response even if there is no PAPE request.
Yahoo is including PAPE in all there responses.
The PPID URI has a specific meaning with respect to correlation.
Some providers (like Yahoo) use identifiers that are still correlatable simply to hide the email address where that is tied to the account name.
I don't think those should return the PPID PAPE URI.
This gets more complicated as the number of possible identifier types for openID expands. For the moment we have XRI, URL's that point to profile pages, URL that don't point to profiles.
If we were to allow other things as claimed_id in the future it gets more complicated.
Perhaps another way to ask the question is if the claimed_id points to profile info.
If it doesn't then there is no real reason to try and use it as the local "username"
We also need to consider what new users are likely to understand. The web site using a URL that points to a external profile page may be what we anticipate but it may be a surprise to a normal user.
While that may have been grate for the original blog commenting use case, I don't know that it holds true for many consumer sites now taking openID.
John B. On 2009-10-29, at 12:48 PM, Andrew Arnott wrote: A usability issue with OpenID is that while " blog.nerdbank.net" makes for a reasonable "username" for an RP to display as I log in with my "vanity URL", my Google-given claimed_id at an RP is not suitable for display as my username. Rather than have RPs hard-code an increasing number of OPs that issue these, particularly since some OPs can issue PPIDs at some times and not others based on user preference, can we get OPs to somehow indicate with the assertion that the identifier is not intended for human consumption?
We already have a way: a PAPE authentication policy with this URI: (which comes from the ICAM OpenID 2.0 profile) http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
Can we get Google, and any other OPs that issue these identifiers, to includes this PAPE policy?
One possibility is to include this PAPE policy in the response if it was included in the request, but if an RP doesn't particularly want to request a PPID, but merely wants to know if it gets one, requesting this policy in PAPE doesn't seem appropriate.
Any other ideas?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
_______________________________________________
general mailing list
general@...
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________
general mailing list
general@...
http://lists.openid.net/mailman/listinfo/openid-general
|
|
Re: Fixing usability: can OPs indicate their claimed_id's are PPID's?
Hi Andrew, This is really not about the RP or the OP. It is about the "user". If the user agree's then Google already provides his email address, and name. Maybe we need to re-think the whole issue.
On Thu, Oct 29, 2009 at 9:18 PM, Andrew Arnott <andrewarnott@...> wrote:
A usability issue with OpenID is that while " blog.nerdbank.net" makes for a reasonable "username" for an RP to display as I log in with my "vanity URL", my Google-given claimed_id at an RP is not suitable for display as my username. Rather than have RPs hard-code an increasing number of OPs that issue these, particularly since some OPs can issue PPIDs at some times and not others based on user preference, can we get OPs to somehow indicate with the assertion that the identifier is not intended for human consumption?
We already have a way: a PAPE authentication policy with this URI: (which comes from the ICAM OpenID 2.0 profile) http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
Can we get Google, and any other OPs that issue these identifiers, to includes this PAPE policy?
One possibility is to include this PAPE policy in the response if it was included in the request, but if an RP doesn't particularly want to request a PPID, but merely wants to know if it gets one, requesting this policy in PAPE doesn't seem appropriate.
Any other ideas?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
_______________________________________________
general mailing list
general@...
http://lists.openid.net/mailman/listinfo/openid-general
-- http://hi.im/santosh
_______________________________________________
general mailing list
general@...
http://lists.openid.net/mailman/listinfo/openid-general
|
|
Re: Fixing usability: can OPs indicate their claimed_id's are PPID's?
Santosh,
Don't forget that some RPs (like mine) don't want the email address or full name of the user. OpenID has already solved the problem of RP and OP recognizing the user. So I agree this isn't particularly about the RP or OP -- but more about helping the user recognize that indeed he is the one logged into the RP he's clicking around within. But to do that, we need additional RP-OP communication. So it is about the RP and OP after all.
-- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
On Thu, Oct 29, 2009 at 9:09 AM, Santosh Rajan <santrajan@...> wrote:
Hi Andrew,This is really not about the RP or the OP. It is about the "user". If the user agree's then Google already provides his email address, and name. Maybe we need to re-think the whole issue.
A usability issue with OpenID is that while " blog.nerdbank.net" makes for a reasonable "username" for an RP to display as I log in with my "vanity URL", my Google-given claimed_id at an RP is not suitable for display as my username. Rather than have RPs hard-code an increasing number of OPs that issue these, particularly since some OPs can issue PPIDs at some times and not others based on user preference, can we get OPs to somehow indicate with the assertion that the identifier is not intended for human consumption?
We already have a way: a PAPE authentication policy with this URI: (which comes from the ICAM OpenID 2.0 profile) http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
Can we get Google, and any other OPs that issue these identifiers, to includes this PAPE policy?
One possibility is to include this PAPE policy in the response if it was included in the request, but if an RP doesn't particularly want to request a PPID, but merely wants to know if it gets one, requesting this policy in PAPE doesn't seem appropriate.
Any other ideas?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
-- http://hi.im/santosh
_______________________________________________
general mailing list
general@...
http://lists.openid.net/mailman/listinfo/openid-general
|
|
Re: Fixing usability: can OPs indicate their claimed_id's are PPID's?
Andrew,
If it is a display name for showing to the user that is what SREG nickname is for. It doesn't need to be unique.
If it is for showing other people who the user is that is more complicated.
John B. On 2009-10-29, at 1:15 PM, Andrew Arnott wrote: Santosh,
Don't forget that some RPs (like mine) don't want the email address or full name of the user. OpenID has already solved the problem of RP and OP recognizing the user. So I agree this isn't particularly about the RP or OP -- but more about helping the user recognize that indeed he is the one logged into the RP he's clicking around within. But to do that, we need additional RP-OP communication. So it is about the RP and OP after all.
-- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
On Thu, Oct 29, 2009 at 9:09 AM, Santosh Rajan <santrajan@...> wrote:
Hi Andrew,This is really not about the RP or the OP. It is about the "user". If the user agree's then Google already provides his email address, and name. Maybe we need to re-think the whole issue.
A usability issue with OpenID is that while " blog.nerdbank.net" makes for a reasonable "username" for an RP to display as I log in with my "vanity URL", my Google-given claimed_id at an RP is not suitable for display as my username. Rather than have RPs hard-code an increasing number of OPs that issue these, particularly since some OPs can issue PPIDs at some times and not others based on user preference, can we get OPs to somehow indicate with the assertion that the identifier is not intended for human consumption?
We already have a way: a PAPE authentication policy with this URI: (which comes from the ICAM OpenID 2.0 profile) http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
Can we get Google, and any other OPs that issue these identifiers, to includes this PAPE policy?
One possibility is to include this PAPE policy in the response if it was included in the request, but if an RP doesn't particularly want to request a PPID, but merely wants to know if it gets one, requesting this policy in PAPE doesn't seem appropriate.
Any other ideas?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
-- http://hi.im/santosh
general mailing list
general@...
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________
general mailing list
general@...
http://lists.openid.net/mailman/listinfo/openid-general
|
|
Re: Fixing usability: can OPs indicate their claimed_id's are PPID's?
I agree.
Google and Yahoo don't offer nicknames, last I checked. That would definitely help alleviate. AX also has a nickname type URI, so Google could support it.
Some really poor RPs have actually failed to log me in because my OP did offer a nickname, and it didn't happen to fit into the RP's uniqueness constraint. The RP didn't even give me a chance to choose another. Yech.
-- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
On Thu, Oct 29, 2009 at 9:20 AM, John Bradley <ve7jtb@...> wrote:
Andrew,
If it is a display name for showing to the user that is what SREG nickname is for. It doesn't need to be unique.
If it is for showing other people who the user is that is more complicated.
John B. On 2009-10-29, at 1:15 PM, Andrew Arnott wrote: Santosh,
Don't forget that some RPs (like mine) don't want the email address or full name of the user. OpenID has already solved the problem of RP and OP recognizing the user. So I agree this isn't particularly about the RP or OP -- but more about helping the user recognize that indeed he is the one logged into the RP he's clicking around within. But to do that, we need additional RP-OP communication. So it is about the RP and OP after all.
-- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
On Thu, Oct 29, 2009 at 9:09 AM, Santosh Rajan <santrajan@...> wrote:
Hi Andrew,This is really not about the RP or the OP. It is about the "user". If the user agree's then Google already provides his email address, and name. Maybe we need to re-think the whole issue.
A usability issue with OpenID is that while " blog.nerdbank.net" makes for a reasonable "username" for an RP to display as I log in with my "vanity URL", my Google-given claimed_id at an RP is not suitable for display as my username. Rather than have RPs hard-code an increasing number of OPs that issue these, particularly since some OPs can issue PPIDs at some times and not others based on user preference, can we get OPs to somehow indicate with the assertion that the identifier is not intended for human consumption?
We already have a way: a PAPE authentication policy with this URI: (which comes from the ICAM OpenID 2.0 profile) http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
Can we get Google, and any other OPs that issue these identifiers, to includes this PAPE policy?
One possibility is to include this PAPE policy in the response if it was included in the request, but if an RP doesn't particularly want to request a PPID, but merely wants to know if it gets one, requesting this policy in PAPE doesn't seem appropriate.
Any other ideas?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
-- http://hi.im/santosh
general mailing list
general@...
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________
general mailing list
general@...
http://lists.openid.net/mailman/listinfo/openid-general
|
|
Re: Fixing usability: can OPs indicate their claimed_id's are PPID's?
Ok got you, didn't think of the nickname. On Thu, Oct 29, 2009 at 9:52 PM, Andrew Arnott <andrewarnott@...> wrote:
I agree.
Google and Yahoo don't offer nicknames, last I checked. That would definitely help alleviate. AX also has a nickname type URI, so Google could support it.
Some really poor RPs have actually failed to log me in because my OP did offer a nickname, and it didn't happen to fit into the RP's uniqueness constraint. The RP didn't even give me a chance to choose another. Yech.
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
On Thu, Oct 29, 2009 at 9:20 AM, John Bradley <ve7jtb@...> wrote:
Andrew,
If it is a display name for showing to the user that is what SREG nickname is for. It doesn't need to be unique.
If it is for showing other people who the user is that is more complicated.
John B. On 2009-10-29, at 1:15 PM, Andrew Arnott wrote: Santosh,
Don't forget that some RPs (like mine) don't want the email address or full name of the user. OpenID has already solved the problem of RP and OP recognizing the user. So I agree this isn't particularly about the RP or OP -- but more about helping the user recognize that indeed he is the one logged into the RP he's clicking around within. But to do that, we need additional RP-OP communication. So it is about the RP and OP after all.
-- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
On Thu, Oct 29, 2009 at 9:09 AM, Santosh Rajan <santrajan@...> wrote:
Hi Andrew,This is really not about the RP or the OP. It is about the "user". If the user agree's then Google already provides his email address, and name. Maybe we need to re-think the whole issue.
A usability issue with OpenID is that while " blog.nerdbank.net" makes for a reasonable "username" for an RP to display as I log in with my "vanity URL", my Google-given claimed_id at an RP is not suitable for display as my username. Rather than have RPs hard-code an increasing number of OPs that issue these, particularly since some OPs can issue PPIDs at some times and not others based on user preference, can we get OPs to somehow indicate with the assertion that the identifier is not intended for human consumption?
We already have a way: a PAPE authentication policy with this URI: (which comes from the ICAM OpenID 2.0 profile) http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
Can we get Google, and any other OPs that issue these identifiers, to includes this PAPE policy?
One possibility is to include this PAPE policy in the response if it was included in the request, but if an RP doesn't particularly want to request a PPID, but merely wants to know if it gets one, requesting this policy in PAPE doesn't seem appropriate.
Any other ideas?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
-- http://hi.im/santosh
general mailing list
general@...
http://lists.openid.net/mailman/listinfo/openid-general
-- http://hi.im/santosh
_______________________________________________
general mailing list
general@...
http://lists.openid.net/mailman/listinfo/openid-general
|
|
Re: Fixing usability: can OPs indicate their claimed_id's are PPID's?
I suspect that getting the IdP to support nickname in SREG and AX is the shortest path to some solution.
Since it is self asserted the user can use a name, email, or URI as they like.
I suppose that if the IdP is using some nice globally unique URI for the person they can always throw that in nickname by default.
It is hard to know if a RP needs a unique nickname for the user.
It would be nice if all RP used claimed_id for the primary key and something that doesn't need to be unique for the display name. Unfortunately a lot of RP's are using the display name as the primary key.
John B. On 2009-10-29, at 1:22 PM, Andrew Arnott wrote: I agree.
Google and Yahoo don't offer nicknames, last I checked. That would definitely help alleviate. AX also has a nickname type URI, so Google could support it.
Some really poor RPs have actually failed to log me in because my OP did offer a nickname, and it didn't happen to fit into the RP's uniqueness constraint. The RP didn't even give me a chance to choose another. Yech.
-- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
On Thu, Oct 29, 2009 at 9:20 AM, John Bradley <ve7jtb@...> wrote:
Andrew,
If it is a display name for showing to the user that is what SREG nickname is for. It doesn't need to be unique.
If it is for showing other people who the user is that is more complicated.
John B. On 2009-10-29, at 1:15 PM, Andrew Arnott wrote: Santosh,
Don't forget that some RPs (like mine) don't want the email address or full name of the user. OpenID has already solved the problem of RP and OP recognizing the user. So I agree this isn't particularly about the RP or OP -- but more about helping the user recognize that indeed he is the one logged into the RP he's clicking around within. But to do that, we need additional RP-OP communication. So it is about the RP and OP after all.
-- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
On Thu, Oct 29, 2009 at 9:09 AM, Santosh Rajan <santrajan@...> wrote:
Hi Andrew,This is really not about the RP or the OP. It is about the "user". If the user agree's then Google already provides his email address, and name. Maybe we need to re-think the whole issue.
A usability issue with OpenID is that while " blog.nerdbank.net" makes for a reasonable "username" for an RP to display as I log in with my "vanity URL", my Google-given claimed_id at an RP is not suitable for display as my username. Rather than have RPs hard-code an increasing number of OPs that issue these, particularly since some OPs can issue PPIDs at some times and not others based on user preference, can we get OPs to somehow indicate with the assertion that the identifier is not intended for human consumption?
We already have a way: a PAPE authentication policy with this URI: (which comes from the ICAM OpenID 2.0 profile) http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier
Can we get Google, and any other OPs that issue these identifiers, to includes this PAPE policy?
One possibility is to include this PAPE policy in the response if it was included in the request, but if an RP doesn't particularly want to request a PPID, but merely wants to know if it gets one, requesting this policy in PAPE doesn't seem appropriate.
Any other ideas?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
-- http://hi.im/santosh
general mailing list
general@...
http://lists.openid.net/mailman/listinfo/openid-general
_______________________________________________
general mailing list
general@...
http://lists.openid.net/mailman/listinfo/openid-general
|
|
Re: Fixing usability: can OPs indicate their claimed_id's are PPID's?
With the competing requirements of privacy vs vanity-url I believe it's
likely RP's are going to have to move away from displaying the
user-supplied or claimed identifier and relying on SREG/AX for the "display
name", at least for OP-identifier based logins. If no data is available
from SREG/AX, a locally stored profile on the RP will need to store the
display name. Some RP's are only ever going to use the claimed identifier
as an account lookup key (e.g. those using the ICAM PAPE policy
http://www.idmanagement.gov/schema/2009/05/icam/no-pii.pdf). In that case
anything displayed about the user will have to be stored/managed by the RP
itself anyway.
From: Andrew Arnott < andrewarnott@...>
To: general < general@...>, Breno de Medeiros < breno@...>
Date: 30/10/2009 01:50 AM
Subject: [OpenID] Fixing usability: can OPs indicate their claimed_id's are PPID's?
Sent by: openid-general-bounces@...
A usability issue with OpenID is that while "blog.nerdbank.net" makes for a
reasonable "username" for an RP to display as I log in with my "vanity
URL", my Google-given claimed_id at an RP is not suitable for display as my
username. Rather than have RPs hard-code an increasing number of OPs that
issue these, particularly since some OPs can issue PPIDs at some times and
not others based on user preference, can we get OPs to somehow indicate
with the assertion that the identifier is not intended for human
consumption?
We already have a way: a PAPE authentication policy with this URI: (which
comes from the ICAM OpenID 2.0 profile)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifierCan we get Google, and any other OPs that issue these identifiers, to
includes this PAPE policy?
One possibility is to include this PAPE policy in the response if it was
included in the request, but if an RP doesn't particularly want to request
a PPID, but merely wants to know if it gets one, requesting this policy in
PAPE doesn't seem appropriate.
Any other ideas?
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
_______________________________________________
general mailing list
general@...
http://lists.openid.net/mailman/listinfo/openid-general_______________________________________________
general mailing list
general@...
http://lists.openid.net/mailman/listinfo/openid-general
|
|
Re: Fixing usability: can OPs indicate their claimed_id's are PPID's?
Andrew Arnott wrote:
>
> Google and Yahoo don't offer nicknames, last I checked.
The Yahoo OP supports nickname via AX or SREG.
We're still testing AX/SREG, so RPs that want to test it should send me
a note and we'll enable it for you.
Thanks
Allen
_______________________________________________
general mailing list
general@...
http://lists.openid.net/mailman/listinfo/openid-general
|
smime.p7s (3K) 