AOL releases preview support for SREG

Recent industry events like the OpenID Content Provider Advisory Committee meeting in NY and the Internet Identity Workshop 2008b have raised the awareness that OpenID Relying Parties want more than just an authenticated URL. They also desire/require user data for the user who just "proved ownership" of the URL (i.e. their OpenID). This brings up a number of user experience issues as evidenced by this thread on the OpenID general mailing list.

These issues include...

1. How often should relying parties ask for user data? If every time, is there a security risk to the user to have their information "flowing" over the wire on every authentication?
2. User's need to consent to their information being given to the relying party, but once they've consented, should they be notified every time it happens? or just be given a way to change their mind later if they want to?
3. What is the best UI mechanism for dealing with "required" and "optional" data as requested by the relying party?

In order to work on these industry relevant issues, and also provide access to user data attributes on AOL OpenIDs, AOL has released "preview" support for SREG 1.0. The supported fields at this time include email, nickname, country, date of birth, gender, and postal code. Note that this support is SREG 1.0 compliant and based on our OpenID 1.1 Provider implementation. An upgrade to OpenID 2.0 and AX is planned for the future.

We welcome any and all feedback on our current implementation, and hope that this will encourage more web sites to become OpenID Relying Parties.