I think it sounds like a really cool idea. The only thing that strikes
me right off is the authorization problem. If I want to authenticate
to a service using my OpenID provider what would prevent that service
from mining all of my contacts. What if OpenID only mapped to the
provider of the address books by providing the particular identity (in
the case of yahoo a user id) that the user has with that provider?
Then the consumer requesting the authentication via OpenID can utilize
a method like OAuth to request the information from the provider, and
that way the request is authorized by the user. The potential gain
would be that OpenID can announce potential data integration points
(twitter, myspace, facebook, yahoo, google, etc..) but the user
ultimately controls how much access will be granted.
Brian
On Apr 24, 6:28 pm, Andrew Arnott <
andrewarn...@gmail.com> wrote:
> Lots of sites like LinkedIn and Facebook like to get people to give
> away their Gmail, Yahoo, AOL, or Live ID credentials so that the sites
> can internally log in as them and download their whole address book so
> their guest can see who of their friends is also using their
> services. Giving away credentials is a BAD IDEA. While LinkedIn
> perhaps is a reputable site, many other sites that do the same thing
> could easily be squirreling away your credentials in some unprotected
> database.
>
> The Attribute Exchange protocol on OpenID has a great opportunity to
> solve this problem. If we can add an attribute type (say...
http://axschema.org/contact/email/friends), then any web site that