Address book sharing
5 views
Skip to first unread message
Andrew Arnott
Apr 24, 2008, 9:28:44 PM4/24/08
to axschema
Lots of sites like LinkedIn and Facebook like to get people to give
away their Gmail, Yahoo, AOL, or Live ID credentials so that the sites
can internally log in as them and download their whole address book so
their guest can see who of their friends is also using their
services. Giving away credentials is a BAD IDEA. While LinkedIn
perhaps is a reputable site, many other sites that do the same thing
could easily be squirreling away your credentials in some unprotected
database.
The Attribute Exchange protocol on OpenID has a great opportunity to
solve this problem. If we can add an attribute type (say...
http://axschema.org/contact/email/friends), then any web site that
wants a copy of all the email addresses from your address book can
just use an OpenID Authentication with an AX extension requesting as
many values for this attribute as are available. Then the user can
approve the transfer on his email/OpenID Provider and the information
is transferred without risk of losing your credentials to a
disreputable entity.
Of course for this to work you're email address book would have to be
available to your OpenID Provider, but as Yahoo is already a Provider
and others are jumping on board, this should be a straightforward step
once the attribute is well defined.
Comments?
away their Gmail, Yahoo, AOL, or Live ID credentials so that the sites
can internally log in as them and download their whole address book so
their guest can see who of their friends is also using their
services. Giving away credentials is a BAD IDEA. While LinkedIn
perhaps is a reputable site, many other sites that do the same thing
could easily be squirreling away your credentials in some unprotected
database.
The Attribute Exchange protocol on OpenID has a great opportunity to
solve this problem. If we can add an attribute type (say...
http://axschema.org/contact/email/friends), then any web site that
wants a copy of all the email addresses from your address book can
just use an OpenID Authentication with an AX extension requesting as
many values for this attribute as are available. Then the user can
approve the transfer on his email/OpenID Provider and the information
is transferred without risk of losing your credentials to a
disreputable entity.
Of course for this to work you're email address book would have to be
available to your OpenID Provider, but as Yahoo is already a Provider
and others are jumping on board, this should be a straightforward step
once the attribute is well defined.
Comments?
BRIM...@gmail.com
May 10, 2008, 2:13:12 AM5/10/08
to axschema
I think it sounds like a really cool idea. The only thing that strikes
me right off is the authorization problem. If I want to authenticate
to a service using my OpenID provider what would prevent that service
from mining all of my contacts. What if OpenID only mapped to the
provider of the address books by providing the particular identity (in
the case of yahoo a user id) that the user has with that provider?
Then the consumer requesting the authentication via OpenID can utilize
a method like OAuth to request the information from the provider, and
that way the request is authorized by the user. The potential gain
would be that OpenID can announce potential data integration points
(twitter, myspace, facebook, yahoo, google, etc..) but the user
ultimately controls how much access will be granted.
Brian
On Apr 24, 6:28 pm, Andrew Arnott <andrewarn...@gmail.com> wrote:
> Lots of sites like LinkedIn and Facebook like to get people to give
> away their Gmail, Yahoo, AOL, or Live ID credentials so that the sites
> can internally log in as them and download their whole address book so
> their guest can see who of their friends is also using their
> services. Giving away credentials is a BAD IDEA. While LinkedIn
> perhaps is a reputable site, many other sites that do the same thing
> could easily be squirreling away your credentials in some unprotected
> database.
>
> The Attribute Exchange protocol on OpenID has a great opportunity to
> solve this problem. If we can add an attribute type (say...http://axschema.org/contact/email/friends), then any web site that
me right off is the authorization problem. If I want to authenticate
to a service using my OpenID provider what would prevent that service
from mining all of my contacts. What if OpenID only mapped to the
provider of the address books by providing the particular identity (in
the case of yahoo a user id) that the user has with that provider?
Then the consumer requesting the authentication via OpenID can utilize
a method like OAuth to request the information from the provider, and
that way the request is authorized by the user. The potential gain
would be that OpenID can announce potential data integration points
(twitter, myspace, facebook, yahoo, google, etc..) but the user
ultimately controls how much access will be granted.
Brian
On Apr 24, 6:28 pm, Andrew Arnott <andrewarn...@gmail.com> wrote:
> Lots of sites like LinkedIn and Facebook like to get people to give
> away their Gmail, Yahoo, AOL, or Live ID credentials so that the sites
> can internally log in as them and download their whole address book so
> their guest can see who of their friends is also using their
> services. Giving away credentials is a BAD IDEA. While LinkedIn
> perhaps is a reputable site, many other sites that do the same thing
> could easily be squirreling away your credentials in some unprotected
> database.
>
> The Attribute Exchange protocol on OpenID has a great opportunity to
Reply all
Reply to author
Forward
0 new messages