Chuck Esterbrook <ChuckEsterbrook@...> wrote:
>The idea behind externalId is that you could safely use it externally to
>refer to a user. Safely means that 1. it would be hard for someone to guess
>(and therefore impersonate another user) and 2. would not reveal private
>information about the user. This basically means an opaque, lengthy
>randomized id. I believe UserKit already provides that.
And we're not even really considering applications where one might want to
refer to person identities in forms, for example, where the standard personal
identifier is deemed sensitive even though there's little scope for
impersonation using that identifier within the application. I worked on an
application, once, where we had to "mask" organsiation-wide personal
identifiers in order to obscure such information. Of course, it would have been
possible to "crack" the obscuring mechanism and start getting real identifiers,
but given the principally political motivation for this "security" it was
enough to just not include such identifiers "bare" in HTML form elements
(albeit hidden ones).
I think the political powers knew that personal identifiers were fairly useless
on their own anyway, but people do get on their soapbox about such things
fairly easily in highly political organisations.
P.S. It's nice to see UserKit getting some attention!
Get your firstname@... email for FREE at http://Nameplanet.com/?su
Get latest updates about Open Source Projects, Conferences and News.