In case when the site want to use OP Identifier, the site typically shows list of icons of the OPs. This list grows quickly and results in User Interface Nightmare a.k.a. “Nascar Problem”.

Various people have been working on this, such as IDIB efforts and some Infocard integration, but to me, there seems to be even simpler solution.

I have been wondering why nobody proposes this.
It is extremely simple.

Simply add your OP Identifier to the end of User Agent string, separated by semi-colon. For example, if you are using Safari, and if your OP is mixi.jp, then it would be like:

Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP) AppleWebKit/531.9 (KHTML, like Gecko) Version/4.0.3 Safari/531.9.1;op=mixi.jp

Creating custom header in IE is a bit of problem, but the UA string is an exception and can be changed just by changing a registry entry as far as I know. Most other major browsers provide ways to set the user agents.

The RP, upon receipt of the above string, extracts mixi.jp and redirects user to mixi.jp automagically. If he has a session there, which is likely, he may be returned to the site immediately.

True that it reveals your OP to every site. Some people may consider it a privacy problem, and some would complain about the security implication, but how real would be an attack using that information? Not much, I think. Anti-Phishing? It should be dealt with other mechanisms.

Based on https://openid.pbworks.com/OpenIDwithArtifactBinding

Finally!

I am glad to write that OpenID Foundation Board has approved the change in the OpenID Process document so that a working group can be started without membership vote.

The change itself requires membership vote, so the notice will go out soon, and it is a month or more away for the new process to get effective, but once that is done, we can spin up WGs pretty quickly. That would certainly help AX 2.0, Auth 2.1 etc.

As I was not able to login to comment on Johannes’s blog…

It is about this entry ”Is OpenID User Centric?”.

Johannes’s comment that OpenID being “http://netmesh.info/jernst/digital_identity/is-openid-still-user-centric” is very apt. This is one use case that OpenID is supposed to serve.

The other use case that it is serving right now is the Web SSO.

As a “personal/business card”, you do not need privacy. You do not want privacy. You want to reveal that it was you, and you want to be tracked.

In Web SSO case, you might or might not want to be tracked.

For User Centric thing, I believe that the user should control one’s XRD. Then, I can use Yahoo! or Google as authentication service that provide PPID.

If I want to preserve anonymity, I would use OP identifier to Yahoo! or Google. Alternatively, I could provide an XRD address that service PPID, but that would be a tall order for most people.

If I want to leave my track, then I will provide my (signed) XRD address.

As to the email as attribute being sent…

I think we should define contact service just like XRI people do. It could be email, twitter, or authenticated something, etc. The service should be advertised in the XRD. Then we should not need to provide “physical” address like email to the RP.