Yahoo! OpenIDs are the same for all RPs. I had assumed that Yahoo! would be using directed identity to provide a different OpenID for each user/site combination, to prevent correlation of accounts. I was incorrect; they’re just using it for easier sign-in, with the same auto-generated URL used for every site.
Sign in with 
OpenID
Does it mean that all yahoo users will have the same OpenID address?
Or does the real OpenID address will be sent after authentication?
The real one is sent through during authentication. In fact, Yahoo! users will be able to pick the OpenID they want to use - they can stick to the default (randomly generated) one or use a Flickr one or (I think) one based on their Yahoo! username.
Since reading this earlier I'm left wondering what exactly Yahoo! was trying to achieve by this if they're not going to use RP-specific identifiers.
If a user isn't careful (and let's face it, how many users are?) it may be quite easy to figure out who they are just by correlating identifiers across RPs.
If correlation is going to be possible anyway, then why not just use the human-friendly Yahoo! ID?
Martin Atkins - 19th January 2008 19:18 - #
Hey Martin - the reason the auto-generated URL does not contain the Yahoo! ID is that the Yahoo! ID also maps to an email/IM address. This is also the case with many large existing (eg: AOL, Orange) and potential (eg: Google, Microsoft) OpenID providers.
Assuming OpenID really takes off (which we're all hoping for), users' OpenID URLs will be all over the place (again, this is a good thing). This would open up avenues for contextual spam attacks (if I posted a restaurant review with my OpenID, I'd get spam about restaurants or food, if my OpenID URL also reveals my email address - you get the idea). Its obvious that spammers can exploit this with great effect down the road.
This was discussed at length in a session I led at the IIW2007b and the general agreement among the attendees was that it would be a good idea to hash/encrypt the user's ID/screenname in such cases. Chris Messina's session notes are here:
http://iiw.idcommons.net/index.php/OpenIDForLargeP roviders
Note that we will provide users an option to create a customized OpenID URL and that they can choose to have their Yahoo! ID in that URL - we decided to offer that feature by educating the user about the implications of this choice, understanding that some users will want to opt for it while being fully aware of such implications.
Hope this helps.
Shreyas Doshi - 20th January 2008 05:56 - #
There are a number of benefits from directed identity, even if you aren't using separate identifiers for each RP (which sounds nice but I bet it'd cause people to lose their profiles if an RP gets updated). The benefits include:
1. Simpler documentation. Just tell the user to enter "yahoo.com" rather than a personalised identity URL.
2. The user's identity URL need not be easy to type. It can be picked at random and never recycled, avoiding the whole identifier recycling mess that delayed the OpenID 2.0 spec release.
3. Only Yahoo knows how to map a particular identity URL to a Yahoo account (assuming they don't publish any user details at the identity URL). This means that users only reveal information they choose to when using OpenID.