Comments on: hCard is not a provisioning engine (for private data)

By: Jason

Jason — Tue, 06 Nov 2007 23:51:52 +0000

Not to even mention that there are and will be some people who do not maintain a profile page, nor webpage of any kind, but would like to exchange attributes to RPs that request them.

By: try { reuse; } catch (Ex) { reinvent; }

try { reuse; } catch (Ex) { reinvent; } — Tue, 06 Nov 2007 03:49:49 +0000

[…] willnorris.com managing identities Skip to content AboutpgpProjectsWordPress YADIS/XRDS PluginWordPress OpenID PluginWordPress MicroID Pluginwp-xrdswpopenidArchives « hCard is not a provisioning engine (for private data) […]

By: Will Norris

Will Norris — Tue, 06 Nov 2007 02:50:55 +0000

agreed, it is much more likely that truly different personas would be represented by different OpenID URLs, but many providers support this concept today as I described it.

The much more provocative use case is private data, and I really don't think shoe-horning hCard is the most appropriate or secure way of handling that. Not only because of the technical question of how it would be done, but also because I am much more comfortable knowing that it can only occur at the time I login, as is the case with SREG/AX (excepting that AX can perform subsequent updates of the data).

By: Scott Robinson

Scott Robinson — Tue, 06 Nov 2007 02:45:49 +0000

It seems very unlikely to me that you would use the same OpenID for exposures of identity. That's a single unique identifier that the other sites (as adversaries) can correlate with.

Once you separate have separate OpenIDs, having separate hCards is a clear jump.

So, no, I don't think this argument works.

However, hCards are semi-public and certain that is an issue. If the hCard concept has the consumer accessing the same URL - then there must be a way to recognize the source and return customized information.

And I haven't heard any talk of how that is supposed to occur.