The trust screen on an OpenID Provider

Nathan Bell blogs about how he wishes OpenID would just go away, or at least fade into the background so that users don’t have to know quite so much to use it. I really like how he’s thinking over there, and will take some time to write up my thoughts on most of it sometime soon.

Meanwhile, I wanted to throw in my two cents on requirement #3 that he laid out in his post. I and some other Vidoopsters (Michael, Chris, Will) were working on one of our OpenID usability efforts and ended up convincing ourselves that the trust page doesn’t matter if no profile data is being handed off. The boolean value that represents the success or failure of an authentication attempt is certainly no more of a data leak than the claimed identifier that had already been submitted.

Or am I missing something?

One Comment

  1. Posted June 10, 2008 at 1:27 pm | Permalink

    Hi Scott,
    I’m really looking forward to reading your thoughts on simplifying the OpenID login flow. Can’t wait :)

    I *think* you’re right about there not being a data leak if there is no profile data being exchanged. If it’s true that you can skip the trust screen in those cases, that’d be a huge win.

    The only catch I can think of (and I haven’t thought about this very deeply) is it might open up the possibility that an RP could identify you without you knowing. If http://example.com is a nefarious RP and had a good guess at your OpenID (or, actually, just your OpenID Provider), couldn’t they execute a login in the background? They would then know who you are but you might not know that they know who you are (until you login to your provider and see “example.com” on the list of trusted sites…

Post a Comment

Your email is never shared. Required fields are marked *

*
*