[OpenID] OpenID SREG best practice question

George Fletcher gffletch at aol.com
Wed Nov 12 08:20:13 PST 2008


Hi,

I've been re-reading the SREG spec and I'm unsure as to the best/correct 
behavior in the case that an RP asks for SREG data that the user has 
already provided/consented to in the past. I see at least 3 options..

1. Should the OP (which knows the user gave consent for the requested 
fields) just not return them (on the principal that the fewer times 
"PII" flows over the wire the more the user's privacy is protected)?

2. Should the OP silently (meaning no UI message relating to SREG) 
return the requested data if the user has given consent in the past (on 
the principle that the user gave consent in the past so this data can be 
returned without asking the user again).

3. Should the OP always ask the user what to do but defaulting the data 
that is sent based on the previous consent? This adds a UI page to every 
OpenID authentication that requests SREG data.

Has anyone else worked through these issues? Any best practices to follow?

Thanks,
George



More information about the general mailing list