Non-CorrelatableID with OpenID 2
Convener: Joe Andrieu
- Yarvi Adam
- Terry Hayes
- Jim Fenton
- Steve Williams
- Scott Bloomquist
- Jeff Stollman
We talked about OpenID, in multiple versions: 1.0 and 2.0
- non-correlatable stuff isn't always used! Yahoo!
- good to have post-facto correlation (at dashboard level)
- Suggested pattern, which we should advocate
- always use directed id (non-correlatable tokens)
- allow discoverable persona (display names)
- allow public, authenticated ID (for reputation)
- allow post-facto, intentional correlation (for
It seems that the lack of these things are reasons NOT to adopt modern identity approaches, so we should find a unified way to enable all of these, to get the broadest number and type of applications using identity.
We also talked about why we want non-correlatable ids, or directed Identity.
Noted that by teaching people to use OpenID, we are teaching them to use correlatable IDs. But in fact, we would do well to invest our energy teaching folks that are non-correlatable.
Does the non-correlatable technology give folks a false sense of privacy, when they are actually almost always giving far more data that, in fact, enables correlation?
- we need to educate to protect identity
- we need to give ways to enable that protection
Without giving a false sense of security.