|
SREG's Privacy Policy URL
Hi All,
The Simple Registration Extension provides an interface for the RP to
pass the OP a link to the RP's privacy policy in the authentication
request. According to the SREG spec, OPs SHOULD display this URL to the
End User if it is given.
http://openid.net/specs/openid-simple-registration-extension-1_1-01.html#anchor3Although Attribute Exchange is intended to be be a superset of SREG, the
AX 1.0 spec omitted this feature. Some OPs (like Yahoo) believe that
it's important to link to the RP's privacy policy, so it's unfortunate
that this parameter was left out of AX. We think it's important that
there's an automated way for an RP to inform the OP about its privacy
policy without requiring the RP to pre-register itself with the OP.
Arguably, the RP's privacy policy is relevant even if there's no SREG/AX
involved, so perhaps it doesn't make sense to require the RP to use
SREG/AX to pass its privacy policy to the OP.
Given that the intent of the openid.sreg.policy_url parameter in SREG is
to define an interface for the RP to ask the OP to link to the RP's
privacy policy on the OP's UI, it seems that this feature could be
included in the OpenID User Interace Extension, which is intended to
allow the RP to influence aspects of the OP's UI.
Alternatively, the RP could publish its privacy policy in its discovery
document, which does make a lot of sense, but I understand that there's
a lot of work going on to define the next generation of discovery, and
I'm not quite sure what the timeframe is for that.
Comments?
Allen
.
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
Re: SREG's Privacy Policy URL
Re: SREG's Privacy Policy URL
FWIW, Facebook Connect allows relying parties to define a “terms of service” url. We then show that link to users when they click on it. With OpenID, the equivalent URL would be set using relying party discovery. Is this more or less what you’re looking for?
Screenshot:
On 6/2/09 10:21 AM, "Allen Tom" <atom@...> wrote:
Alternatively, the RP could publish its privacy policy in its discovery
document, which does make a lot of sense, but I understand that there's
a lot of work going on to define the next generation of discovery, and
I'm not quite sure what the timeframe is for that.
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
Re: SREG's Privacy Policy URL
Hi Luke,
Yes, this is what we're looking for. Currently, in OpenID, the only way
for the RP to link to its privacy policy (which is sort of like linking
to its ToS) is by passing it in the openid.sreg.policy_url parameter
using SREG.
Since we're trying to deprecate SREG, we can try to move this parameter
to either the UI or AX Extension, or move it into Discovery.
Is there an actual Discovery spec?
Allen
Luke Shepard wrote:
Re: SREG's Privacy Policy URL
FWIW, Facebook Connect allows relying parties
to define a “terms of service” url. We then show that link to users
when they click on it. With OpenID, the equivalent URL would be set
using relying party discovery. Is this more or less what you’re looking
for?
Screenshot:
On 6/2/09 10:21 AM, "Allen Tom" <atom@...> wrote:
Alternatively, the RP could publish its privacy policy in its discovery
document, which does make a lot of sense, but I understand that there's
a lot of work going on to define the next generation of discovery, and
I'm not quite sure what the timeframe is for that.
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
Re: SREG's Privacy Policy URL
I think for a short-term solution we'd need to define service "types"
for the privacy policy and TOS for XRDS.
For the long-term, the same could potentially be used as "rel" values in
the XRD markup. The XRD spec is solidifying but is not 100% stable.
I think we should have a discovery option regardless of whether we
update UX or AX. So I'd like to see a proposal for XRDS and then when
XRD is available, supporting that.
Thanks,
George
Allen Tom wrote:
> Hi Luke,
>
> Yes, this is what we're looking for. Currently, in OpenID, the only
> way for the RP to link to its privacy policy (which is sort of like
> linking to its ToS) is by passing it in the openid.sreg.policy_url
> parameter using SREG.
>
> Since we're trying to deprecate SREG, we can try to move this
> parameter to either the UI or AX Extension, or move it into Discovery.
>
> Is there an actual Discovery spec?
>
> Allen
>
>
> Luke Shepard wrote:
>> FWIW, Facebook Connect allows relying parties to define a “terms of
>> service” url. We then show that link to users when they click on it.
>> With OpenID, the equivalent URL would be set using relying party
>> discovery. Is this more or less what you’re looking for?
>>
>> Screenshot:
>>
>>
>>
>>
>> On 6/2/09 10:21 AM, "Allen Tom" < atom@...> wrote:
>>
>>
>> Alternatively, the RP could publish its privacy policy in its
>> discovery
>> document, which does make a lot of sense, but I understand that
>> there's
>> a lot of work going on to define the next generation of
>> discovery, and
>> I'm not quite sure what the timeframe is for that.
>>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> specs mailing list
> specs@...
> http://openid.net/mailman/listinfo/specs>
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
Re: SREG's Privacy Policy URL
OK, how about if we define a new Privacy Policy <Service> for RPs to
include in their XRDS, with a link to their privacy policy?
So the RP would just include the following snippet in its discovery
document, discoverable under its realm:
<Service>
<Type> http://specs.openid.net/path/to/privacy/policy</type>
<URI> http://www.relyingparty.com/path/to/privacy/policy.html</Service>
I'm not sure where we can formally document this. I guess we can put it
in the UI spec?
Allen
George Fletcher wrote:
> I think for a short-term solution we'd need to define service "types"
> for the privacy policy and TOS for XRDS.
>
> For the long-term, the same could potentially be used as "rel" values
> in the XRD markup. The XRD spec is solidifying but is not 100% stable.
>
> I think we should have a discovery option regardless of whether we
> update UX or AX. So I'd like to see a proposal for XRDS and then when
> XRD is available, supporting that.
>
> Thanks,
> George
>
> Allen Tom wrote:
>> Hi Luke,
>>
>> Yes, this is what we're looking for. Currently, in OpenID, the only
>> way for the RP to link to its privacy policy (which is sort of like
>> linking to its ToS) is by passing it in the openid.sreg.policy_url
>> parameter using SREG.
>>
>> Since we're trying to deprecate SREG, we can try to move this
>> parameter to either the UI or AX Extension, or move it into Discovery.
>>
>> Is there an actual Discovery spec?
>>
>> Allen
>>
>>
>> Luke Shepard wrote:
>>> FWIW, Facebook Connect allows relying parties to define a “terms of
>>> service” url. We then show that link to users when they click on it.
>>> With OpenID, the equivalent URL would be set using relying party
>>> discovery. Is this more or less what you’re looking for?
>>>
>>> Screenshot:
>>>
>>>
>>>
>>>
>>> On 6/2/09 10:21 AM, "Allen Tom" < atom@...> wrote:
>>>
>>>
>>> Alternatively, the RP could publish its privacy policy in its
>>> discovery
>>> document, which does make a lot of sense, but I understand that
>>> there's
>>> a lot of work going on to define the next generation of
>>> discovery, and
>>> I'm not quite sure what the timeframe is for that.
>>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> specs mailing list
>> specs@...
>> http://openid.net/mailman/listinfo/specs>>
>
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
Re: SREG's Privacy Policy URL
I like this idea best. UI spec, and a future version of the AX spec can mention this. -- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
On Tue, Jun 2, 2009 at 11:14 AM, Allen Tom <atom@...> wrote:
OK, how about if we define a new Privacy Policy <Service> for RPs to include in their XRDS, with a link to their privacy policy?
So the RP would just include the following snippet in its discovery document, discoverable under its realm:
<Service>
<Type>http://specs.openid.net/path/to/privacy/policy</type>
<URI>http://www.relyingparty.com/path/to/privacy/policy.html
</Service>
I'm not sure where we can formally document this. I guess we can put it in the UI spec?
Allen
George Fletcher wrote:
I think for a short-term solution we'd need to define service "types" for the privacy policy and TOS for XRDS.
For the long-term, the same could potentially be used as "rel" values in the XRD markup. The XRD spec is solidifying but is not 100% stable.
I think we should have a discovery option regardless of whether we update UX or AX. So I'd like to see a proposal for XRDS and then when XRD is available, supporting that.
Thanks,
George
Allen Tom wrote:
Hi Luke,
Yes, this is what we're looking for. Currently, in OpenID, the only way for the RP to link to its privacy policy (which is sort of like linking to its ToS) is by passing it in the openid.sreg.policy_url parameter using SREG.
Since we're trying to deprecate SREG, we can try to move this parameter to either the UI or AX Extension, or move it into Discovery.
Is there an actual Discovery spec?
Allen
Luke Shepard wrote:
FWIW, Facebook Connect allows relying parties to define a “terms of service” url. We then show that link to users when they click on it. With OpenID, the equivalent URL would be set using relying party discovery. Is this more or less what you’re looking for?
Screenshot:
On 6/2/09 10:21 AM, "Allen Tom" <atom@...> wrote:
Alternatively, the RP could publish its privacy policy in its
discovery
document, which does make a lot of sense, but I understand that
there's
a lot of work going on to define the next generation of
discovery, and
I'm not quite sure what the timeframe is for that.
------------------------------------------------------------------------
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
Re: SREG's Privacy Policy URL
Is there a way this can be internationalized?
On Jun 2, 2009, at 11:14, Allen Tom wrote:
> OK, how about if we define a new Privacy Policy <Service> for RPs to
> include in their XRDS, with a link to their privacy policy?
>
> So the RP would just include the following snippet in its discovery
> document, discoverable under its realm:
>
> <Service>
> <Type> http://specs.openid.net/path/to/privacy/policy</type>
> <URI> http://www.relyingparty.com/path/to/privacy/policy.html> </Service>
>
> I'm not sure where we can formally document this. I guess we can put
> it in the UI spec?
>
> Allen
>
>
>
> George Fletcher wrote:
>> I think for a short-term solution we'd need to define service
>> "types" for the privacy policy and TOS for XRDS.
>>
>> For the long-term, the same could potentially be used as "rel"
>> values in the XRD markup. The XRD spec is solidifying but is not
>> 100% stable.
>>
>> I think we should have a discovery option regardless of whether we
>> update UX or AX. So I'd like to see a proposal for XRDS and then
>> when XRD is available, supporting that.
>>
>> Thanks,
>> George
>>
>> Allen Tom wrote:
>>> Hi Luke,
>>>
>>> Yes, this is what we're looking for. Currently, in OpenID, the
>>> only way for the RP to link to its privacy policy (which is sort
>>> of like linking to its ToS) is by passing it in the
>>> openid.sreg.policy_url parameter using SREG.
>>>
>>> Since we're trying to deprecate SREG, we can try to move this
>>> parameter to either the UI or AX Extension, or move it into
>>> Discovery.
>>>
>>> Is there an actual Discovery spec?
>>>
>>> Allen
>>>
>>>
>>> Luke Shepard wrote:
>>>> FWIW, Facebook Connect allows relying parties to define a “terms
>>>> of service” url. We then show that link to users when they click
>>>> on it. With OpenID, the equivalent URL would be set using relying
>>>> party discovery. Is this more or less what you’re looking for?
>>>>
>>>> Screenshot:
>>>>
>>>>
>>>>
>>>>
>>>> On 6/2/09 10:21 AM, "Allen Tom" < atom@...> wrote:
>>>>
>>>>
>>>> Alternatively, the RP could publish its privacy policy in its
>>>> discovery
>>>> document, which does make a lot of sense, but I understand that
>>>> there's
>>>> a lot of work going on to define the next generation of
>>>> discovery, and
>>>> I'm not quite sure what the timeframe is for that.
>>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> specs mailing list
>>> specs@...
>>> http://openid.net/mailman/listinfo/specs>>>
>>
>
> _______________________________________________
> specs mailing list
> specs@...
> http://openid.net/mailman/listinfo/specs_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
Re: SREG's Privacy Policy URL
Would internationalizing entail the OP getting the URL for the RP's privacy policy in the right language? If so, why not just have one URL and let the RP detect the user agent's preferred language? (Yes, I know the UI extension has this for the reason that the user agent isn't properly configured, so it's an interesting point...)
-- Andrew Arnott "I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
On Tue, Jun 2, 2009 at 11:24 AM, Johannes Ernst <jernst+openid.net@netmesh.us> wrote:
Is there a way this can be internationalized?
On Jun 2, 2009, at 11:14, Allen Tom wrote:
OK, how about if we define a new Privacy Policy <Service> for RPs to include in their XRDS, with a link to their privacy policy?
So the RP would just include the following snippet in its discovery document, discoverable under its realm:
<Service>
<Type>http://specs.openid.net/path/to/privacy/policy</type>
<URI>http://www.relyingparty.com/path/to/privacy/policy.html
</Service>
I'm not sure where we can formally document this. I guess we can put it in the UI spec?
Allen
George Fletcher wrote:
I think for a short-term solution we'd need to define service "types" for the privacy policy and TOS for XRDS.
For the long-term, the same could potentially be used as "rel" values in the XRD markup. The XRD spec is solidifying but is not 100% stable.
I think we should have a discovery option regardless of whether we update UX or AX. So I'd like to see a proposal for XRDS and then when XRD is available, supporting that.
Thanks,
George
Allen Tom wrote:
Hi Luke,
Yes, this is what we're looking for. Currently, in OpenID, the only way for the RP to link to its privacy policy (which is sort of like linking to its ToS) is by passing it in the openid.sreg.policy_url parameter using SREG.
Since we're trying to deprecate SREG, we can try to move this parameter to either the UI or AX Extension, or move it into Discovery.
Is there an actual Discovery spec?
Allen
Luke Shepard wrote:
FWIW, Facebook Connect allows relying parties to define a “terms of service” url. We then show that link to users when they click on it. With OpenID, the equivalent URL would be set using relying party discovery. Is this more or less what you’re looking for?
Screenshot:
On 6/2/09 10:21 AM, "Allen Tom" <atom@...> wrote:
Alternatively, the RP could publish its privacy policy in its
discovery
document, which does make a lot of sense, but I understand that
there's
a lot of work going on to define the next generation of
discovery, and
I'm not quite sure what the timeframe is for that.
------------------------------------------------------------------------
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
 Re: SREG's Privacy Policy URL
The XRDS discovery spec is defined by the XRI 2.0 spec as profiled by Yadis.
There is a new discovery spec that converges XRDS Simple as used in oAuth, Yadis and XRI.
That is the XRD 1.0 spec currently under development in the XRI TC at OASIS.
There will need to be a profile of the discovery spec as part of openID 2.1 if that is desired.
Google, Yahoo and others are contributing the XRD spec.
There are references in openID 2.0 and the extensions on what needs to go in to a XRDS, but there is no comprehensive profile of XRDS for openID that defines where new Services or extension elements are added.
I agree that communicating RP TOS and Privacy via RP Discovery is a likely candidate.
The CX (contract exchange) workgroup is also looking at some of the same issues where those policies need to be signed by the user.
I know that is a requirement in Europe for accessing government sites, from my conversations with the people from the STORK initiative.
We may need lightweight policy display and the more heavyweight signing ability that CX brings to the table to work across all the use cases from different jurisdictions.
John B. Date: Tue, 02 Jun 2009 10:55:55 -0700
From: Allen Tom <atom@...>
Subject: Re: SREG's Privacy Policy URL
To: Luke Shepard <lshepard@...>, "specs@..."
<specs@...>
Message-ID: <4A2567AB.10606@...>
Content-Type: multipart/alternative;
boundary="------------060606030309050004000507"
This is a multi-part message in MIME format.
--------------060606030309050004000507
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hi Luke,
Yes, this is what we're looking for. Currently, in OpenID, the only way
for the RP to link to its privacy policy (which is sort of like linking
to its ToS) is by passing it in the openid.sreg.policy_url parameter
using SREG.
Since we're trying to deprecate SREG, we can try to move this parameter
to either the UI or AX Extension, or move it into Discovery.
Is there an actual Discovery spec?
Allen
Luke Shepard wrote:
FWIW, Facebook Connect allows relying parties to define a "terms of
service" url. We then show that link to users when they click on it.
With OpenID, the equivalent URL would be set using relying party
discovery. Is this more or less what you're looking for?
Screenshot:
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
Re: SREG's Privacy Policy URL
The internationalization problem is one of the reasons why it might
make more sense for the privacy policy url to be passed in as a
parameter by the RP. The RP already is passing the user's language to
the OP as part of the UI extension, so we could just make this an
additional parameter.
Alternatively, we can just say that the RP has a single privacy policy
url, and the Privacy Polocy URL can take an optional openid.ui.lang
parameter. The privacy policy url can be discoverable.
Allen
Andrew Arnott wrote:
Would internationalizing entail the OP getting the URL for
the RP's privacy policy in the right language?
If so, why not just have one URL and let the RP detect the user agent's
preferred language? (Yes, I know the UI extension has this for the
reason that the user agent isn't properly configured, so it's an
interesting point...)
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the
death your right to say it." - S. G. Tallentyre
On Tue, Jun 2, 2009 at 11:24 AM, Johannes
Ernst <jernst+openid.net@netmesh.us> wrote:
Is
there a way this can be internationalized?
On Jun 2, 2009, at 11:14, Allen Tom wrote:
OK, how about if we define a new Privacy Policy <Service> for RPs
to include in their XRDS, with a link to their privacy policy?
So the RP would just include the following snippet in its discovery
document, discoverable under its realm:
<Service>
<Type>http://specs.openid.net/path/to/privacy/policy</type>
<URI>http://www.relyingparty.com/path/to/privacy/policy.html
</Service>
I'm not sure where we can formally document this. I guess we can put it
in the UI spec?
Allen
George Fletcher wrote:
I think for a short-term solution we'd need to define service "types"
for the privacy policy and TOS for XRDS.
For the long-term, the same could potentially be used as "rel" values
in the XRD markup. The XRD spec is solidifying but is not 100% stable.
I think we should have a discovery option regardless of whether we
update UX or AX. So I'd like to see a proposal for XRDS and then when
XRD is available, supporting that.
Thanks,
George
Allen Tom wrote:
Hi Luke,
Yes, this is what we're looking for. Currently, in OpenID, the only way
for the RP to link to its privacy policy (which is sort of like linking
to its ToS) is by passing it in the openid.sreg.policy_url parameter
using SREG.
Since we're trying to deprecate SREG, we can try to move this parameter
to either the UI or AX Extension, or move it into Discovery.
Is there an actual Discovery spec?
Allen
Luke Shepard wrote:
FWIW, Facebook Connect allows relying parties to define a “terms of
service” url. We then show that link to users when they click on it.
With OpenID, the equivalent URL would be set using relying party
discovery. Is this more or less what you’re looking for?
Screenshot:
On 6/2/09 10:21 AM, "Allen Tom" <atom@...>
wrote:
Alternatively, the RP could publish its privacy policy in its
discovery
document, which does make a lot of sense, but I understand that
there's
a lot of work going on to define the next generation of
discovery, and
I'm not quite sure what the timeframe is for that.
------------------------------------------------------------------------
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
Re: SREG's Privacy Policy URL
Whether we go for passing a parameter or not, I like the idea of (also) having RP discovery offer a URL as well so that unsolicited assertions from OPs can show the privacy policy to the user. -- Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
On Tue, Jun 2, 2009 at 11:44 AM, Allen Tom <atom@...> wrote:
The internationalization problem is one of the reasons why it might
make more sense for the privacy policy url to be passed in as a
parameter by the RP. The RP already is passing the user's language to
the OP as part of the UI extension, so we could just make this an
additional parameter.
Alternatively, we can just say that the RP has a single privacy policy
url, and the Privacy Polocy URL can take an optional openid.ui.lang
parameter. The privacy policy url can be discoverable.
Allen
Andrew Arnott wrote:
Would internationalizing entail the OP getting the URL for
the RP's privacy policy in the right language?
If so, why not just have one URL and let the RP detect the user agent's
preferred language? (Yes, I know the UI extension has this for the
reason that the user agent isn't properly configured, so it's an
interesting point...)
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the
death your right to say it." - S. G. Tallentyre
On Tue, Jun 2, 2009 at 11:24 AM, Johannes
Ernst <jernst+openid.net@netmesh.us> wrote:
Is
there a way this can be internationalized?
On Jun 2, 2009, at 11:14, Allen Tom wrote:
OK, how about if we define a new Privacy Policy <Service> for RPs
to include in their XRDS, with a link to their privacy policy?
So the RP would just include the following snippet in its discovery
document, discoverable under its realm:
<Service>
<Type>http://specs.openid.net/path/to/privacy/policy</type>
<URI>http://www.relyingparty.com/path/to/privacy/policy.html
</Service>
I'm not sure where we can formally document this. I guess we can put it
in the UI spec?
Allen
George Fletcher wrote:
I think for a short-term solution we'd need to define service "types"
for the privacy policy and TOS for XRDS.
For the long-term, the same could potentially be used as "rel" values
in the XRD markup. The XRD spec is solidifying but is not 100% stable.
I think we should have a discovery option regardless of whether we
update UX or AX. So I'd like to see a proposal for XRDS and then when
XRD is available, supporting that.
Thanks,
George
Allen Tom wrote:
Hi Luke,
Yes, this is what we're looking for. Currently, in OpenID, the only way
for the RP to link to its privacy policy (which is sort of like linking
to its ToS) is by passing it in the openid.sreg.policy_url parameter
using SREG.
Since we're trying to deprecate SREG, we can try to move this parameter
to either the UI or AX Extension, or move it into Discovery.
Is there an actual Discovery spec?
Allen
Luke Shepard wrote:
FWIW, Facebook Connect allows relying parties to define a “terms of
service” url. We then show that link to users when they click on it.
With OpenID, the equivalent URL would be set using relying party
discovery. Is this more or less what you’re looking for?
Screenshot:
On 6/2/09 10:21 AM, "Allen Tom" <atom@...>
wrote:
Alternatively, the RP could publish its privacy policy in its
discovery
document, which does make a lot of sense, but I understand that
there's
a lot of work going on to define the next generation of
discovery, and
I'm not quite sure what the timeframe is for that.
------------------------------------------------------------------------
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
Re: SREG's Privacy Policy URL
I think this is covered in http negotiation.
If the OP knows the users language preference from there profile they can fetch the correct one for the user and display it.
Can google stop changing my language pregrence to Spanish?
I think a single URI for each policy and letting http deal with the language issue is best.
For process we could have it written up in the XRI TC as a profile for XRDS (Breno/George?), or attempt to spin up a OIDF WG.
I don't think it would be more than a page ether way.
The other alternative is to agree on it as a community and RP's just start publishing it.
It isn't like we haven't done that in the past. SREG was never adopted as a standard.
John B. Date: Tue, 2 Jun 2009 11:27:44 -0700
From: Andrew Arnott <andrewarnott@...>
Subject: Re: SREG's Privacy Policy URL
To: Johannes Ernst <jernst+openid.net@...>
Cc: OpenID Specs Mailing List <specs@...>
Message-ID:
<216e54900906021127r11597727t965b1e8ecad57cd5@...>
Content-Type: multipart/alternative;
boundary=001e680f11ec14b6d2046b61b46c
--001e680f11ec14b6d2046b61b46c
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
Would internationalizing entail the OP getting the URL for the RP's privacy
policy in the right language?
If so, why not just have one URL and let the RP detect the user agent's
preferred language? (Yes, I know the UI extension has this for the reason
that the user agent isn't properly configured, so it's an interesting
point...)
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death
your right to say it." - S. G. Tallentyre
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
Re: SREG's Privacy Policy URL
>Would internationalizing entail the OP getting the URL for the RP's
>privacy policy in the right language?
>
>If so, why not just have one URL and let the RP detect the user
>agent's preferred language? (Yes, I know the UI extension has this
>for the reason that the user agent isn't properly configured, so
>it's an interesting point...)
How about the Privacy Policy itself containing pointers to other versions?
Not just languages, but perhaps machine-readable XRD files, as well?
<Privacy Policy>
<Clause1>
<type=RightToPublish>
<modifier1>irrevocable</modifier1>
<modifier2>perpetual</modifier2>
<modifier3>nontransferrable</modifier3>
And so on, perhaps with a link to some common documentation defining
the usual meaning of all these terms.
-Shade
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
Re: SREG's Privacy Policy URL
Re: SREG's Privacy Policy URL
+1 RP discovery. If something is likely to persist beyond the active request, then it shouldn’t be in the request necessarily.
RP discovery would allow, for instance, an OP to show a page of all RPs a user has connected to, and links to their respective privacy policies. They can model the OP as a single database row with a “privacy_url” field, instead of having to keep track of a different url for every user, when in fact that are largely the same thing.
I like the “service” suggestion as made below. I’m worried about spoiling the simplicity of the UX extension by making it a “kitchen sink” when CX or even PAPE is more appropriate. From an engineering perspective, it seems this belongs in a simple RP discovery spec. There are other nice things like RP images and nice display names that would be nice to include.
Also, curious: what’s the process for rolling extensions back into revs of the main spec? It will become weird that “return_to” discovery is in the spec but this isn’t.
On 6/2/09 11:44 AM, "Allen Tom" <atom@...> wrote:
The internationalization problem is one of the reasons why it might make more sense for the privacy policy url to be passed in as a parameter by the RP. The RP already is passing the user's language to the OP as part of the UI extension, so we could just make this an additional parameter.
Alternatively, we can just say that the RP has a single privacy policy url, and the Privacy Polocy URL can take an optional openid.ui.lang parameter. The privacy policy url can be discoverable.
Allen
Andrew Arnott wrote:
Would internationalizing entail the OP getting the URL for the RP's privacy policy in the right language?
If so, why not just have one URL and let the RP detect the user agent's preferred language? (Yes, I know the UI extension has this for the reason that the user agent isn't properly configured, so it's an interesting point...)
--
Andrew Arnott
"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - S. G. Tallentyre
On Tue, Jun 2, 2009 at 11:24 AM, Johannes Ernst <jernst+openid.net <http://openid.net> @netmesh.us <http://netmesh.us> > wrote:
Is there a way this can be internationalized?
On Jun 2, 2009, at 11:14, Allen Tom wrote:
OK, how about if we define a new Privacy Policy <Service> for RPs to include in their XRDS, with a link to their privacy policy?
So the RP would just include the following snippet in its discovery document, discoverable under its realm:
<Service>
<Type>http://specs.openid.net/path/to/privacy/policy</type>
<URI>http://www.relyingparty.com/path/to/privacy/policy.html
</Service>
I'm not sure where we can formally document this. I guess we can put it in the UI spec?
Allen
George Fletcher wrote:
I think for a short-term solution we'd need to define service "types" for the privacy policy and TOS for XRDS.
For the long-term, the same could potentially be used as "rel" values in the XRD markup. The XRD spec is solidifying but is not 100% stable.
I think we should have a discovery option regardless of whether we update UX or AX. So I'd like to see a proposal for XRDS and then when XRD is available, supporting that.
Thanks,
George
Allen Tom wrote:
Hi Luke,
Yes, this is what we're looking for. Currently, in OpenID, the only way for the RP to link to its privacy policy (which is sort of like linking to its ToS) is by passing it in the openid.sreg.policy_url parameter using SREG.
Since we're trying to deprecate SREG, we can try to move this parameter to either the UI or AX Extension, or move it into Discovery.
Is there an actual Discovery spec?
Allen
Luke Shepard wrote:
FWIW, Facebook Connect allows relying parties to define a “terms of service” url. We then show that link to users when they click on it. With OpenID, the equivalent URL would be set using relying party discovery. Is this more or less what you’re looking for?
Screenshot:
On 6/2/09 10:21 AM, "Allen Tom" <atom@...> wrote:
Alternatively, the RP could publish its privacy policy in its
discovery
document, which does make a lot of sense, but I understand that
there's
a lot of work going on to define the next generation of
discovery, and
I'm not quite sure what the timeframe is for that.
------------------------------------------------------------------------
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
Re: SREG's Privacy Policy URL
I worry a little about dumping this into the UX extension, because it's not the logical place to look for it.
Instead (and our WG process is really effed here), perhaps we should have a Policy Expression Extension (acronym pending) so that we could express things like this:
<XRD> <Type>xri://$xrds*simple</Type>
<!-- Privacy Policy -->
<Service>
<Type>http://schemas.openid.net/policies/privacy</Type>
<URI>http://example.com/privacy.php</URI>
</Service>
<!-- Terms & Conditions --> <Service>
<Type>http://schemas.openid.net/policies/terms</Type>
<URI>http://example.com/terms_and_conditions.php</URI>
I also think that RP discovery makes a lot of sense, and that really this stuff should all live in /host-meta.
Chris On Tue, Jun 2, 2009 at 11:14 AM, Allen Tom <atom@...> wrote:
OK, how about if we define a new Privacy Policy <Service> for RPs to include in their XRDS, with a link to their privacy policy?
So the RP would just include the following snippet in its discovery document, discoverable under its realm:
<Service>
<Type>http://specs.openid.net/path/to/privacy/policy</type>
<URI>http://www.relyingparty.com/path/to/privacy/policy.html
</Service>
I'm not sure where we can formally document this. I guess we can put it in the UI spec?
Allen
George Fletcher wrote:
I think for a short-term solution we'd need to define service "types" for the privacy policy and TOS for XRDS.
For the long-term, the same could potentially be used as "rel" values in the XRD markup. The XRD spec is solidifying but is not 100% stable.
I think we should have a discovery option regardless of whether we update UX or AX. So I'd like to see a proposal for XRDS and then when XRD is available, supporting that.
Thanks,
George
Allen Tom wrote:
Hi Luke,
Yes, this is what we're looking for. Currently, in OpenID, the only way for the RP to link to its privacy policy (which is sort of like linking to its ToS) is by passing it in the openid.sreg.policy_url parameter using SREG.
Since we're trying to deprecate SREG, we can try to move this parameter to either the UI or AX Extension, or move it into Discovery.
Is there an actual Discovery spec?
Allen
Luke Shepard wrote:
FWIW, Facebook Connect allows relying parties to define a “terms of service” url. We then show that link to users when they click on it. With OpenID, the equivalent URL would be set using relying party discovery. Is this more or less what you’re looking for?
Screenshot:
On 6/2/09 10:21 AM, "Allen Tom" <atom@...> wrote:
Alternatively, the RP could publish its privacy policy in its
discovery
document, which does make a lot of sense, but I understand that
there's
a lot of work going on to define the next generation of
discovery, and
I'm not quite sure what the timeframe is for that.
------------------------------------------------------------------------
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
-- Chris Messina Open Web Advocate Website: http://factoryjoe.comBlog: http://factoryjoe.com/blog
Twitter: http://twitter.com/chrismessinaDiso Project: http://diso-project.orgOpenID Foundation: http://openid.net
This email is: [ ] bloggable [X] ask first [ ] private
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
Re: SREG's Privacy Policy URL
Chris Messina wrote:
I also think that RP discovery makes a lot of sense, and that really this
stuff should all live in /host-meta.
Yes I think so too.
|
|
Re: SREG's Privacy Policy URL
Chris,
I agree that a WG on RP Discovery to define this is a start.
It probably needs to wind up in the individual specs over time though.
This would likely be in the RP's XRD rather than site meta as work on the spec is going.
SiteMeta will not be signed so from an integrity point of view and to support return_to delegation and other things people are keen on the RP's XRD/S is the correct place to put it.
XRDS and XRD are quite different from a a syntax point of view.
We need to get something done for XRDS per your suggestion or something similar, then sort out the long term refinements for XRD.
Not to put too fine a point on this but is there a way we can agree on something in less than a year?
Your proposal for XRDS, will likely work just fine for people wanting to move to AX from SREG.
It breaks nothing, I don't see why we shouldn't make something like this available quickly for those that want a lightweight solution for the missing AX functionality.
John B. Date: Tue, 2 Jun 2009 22:56:27 -0700
From: Chris Messina <chris.messina@...>
Subject: Re: SREG's Privacy Policy URL
To: Allen Tom <atom@...>
Cc: "specs@..." <specs@...>
Message-ID:
<1bc4603e0906022256s42548c5fg7b04ddba5bf481b2@...>
Content-Type: multipart/alternative;
boundary=0016e6475d18131382046b6b523f
--0016e6475d18131382046b6b523f
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable
I worry a little about dumping this into the UX extension, because it's not
the logical place to look for it.
Instead (and our WG process is really effed here), perhaps we should have a
Policy Expression Extension (acronym pending) so that we could express
things like this:
<xrds:XRDS>
<XRD>
<Type>xri://$xrds*simple</Type>
<!-- Privacy Policy -->
<Service>
<Type>http://schemas.openid.net/policies/privacy</Type>
<URI>http://example.com/privacy.php</URI>
</Service>
<!-- Terms & Conditions -->
<Service>
<Type>http://schemas.openid.net/policies/terms</Type>
<URI>http://example.com/terms_and_conditions.php</URI>
</Service>
</XRD>
</xrds:XRDS>
I also think that RP discovery makes a lot of sense, and that really this
stuff should all live in /host-meta.
Chris
On Tue, Jun 2, 2009 at 11:14 AM, Allen Tom <atom@...> wrote:
OK, how about if we define a new Privacy Policy <Service> for RPs to
include in their XRDS, with a link to their privacy policy?
So the RP would just include the following snippet in its discovery
document, discoverable under its realm:
<Service>
<Type>http://specs.openid.net/path/to/privacy/policy</type>
<URI>http://www.relyingparty.com/path/to/privacy/policy.html
</Service>
I'm not sure where we can formally document this. I guess we can put it i=
n
the UI spec?
Allen
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
Re: SREG's Privacy Policy URL
+1 for making it discoverable. I worry about passing privacy policies in (unsigned) requests. Much better to have it discoverable from well-known-locations (hopefully using XRD 1.0 which has a less invasive approach to well-known-locations than Yadis).
-- --Breno +1 (650) 214-1007 desk +1 (408) 212-0135 (Grand Central) MTV-41-3 : 383-A PST (GMT-8) / PDT(GMT-7)
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
Re: SREG's Privacy Policy URL
On Jun 3, 2009, at 12:56 AM, Chris Messina wrote:
Sorry to revive a dead thread, but isn't there an existing rel="" for
this sort of thing? dcterms:rights, dcterms:provenance, and
dcterms:accessRights don't seem quite the right fit, but I can't find
anything better.
What's going on with this extension anyway? A quick search finds
nothing in the wiki or under http://openid.net/specs/http://josephholsten.com_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
|
Re: SREG's Privacy Policy URL
Hi Joseph,
There hasn't been any progress on this. I think everyone considers
fixing the missing privacy policy for AX important.
It is unclear however how to get agreement on this.
One way would be for the library authors to include it without a
approved standard as it doesn't break anything.
We just need to pick a type and do it.
John B.
On 30-Jun-09, at 3:00 PM, specs-request@... wrote:
_______________________________________________
specs mailing list
specs@...
http://openid.net/mailman/listinfo/specs
|
smime.p7s (2K) 