[OpenID] Relying Party Best Practices

Martin Atkins mart at degeneration.co.uk
Thu Mar 8 07:58:51 UTC 2007

Simon Willison wrote:
> That's a really great list. I have one query about it:
> - Many-to-one relationship between Identity URLs and "user accounts"
> - Don't require users to choose locally-unique usernames
> These appear to be conflicting recommendations. For the second one,
> you advocate using the OpenID identifier as the primary identifier for
> a user, but in the first you emphasize that a user account should be
> able to have more than one OpenID associated with it. Even if you ask
> the user to select their "primary" OpenID you still run in to problems
> should they later ditch that one in favour of another. This could
> definitely be clarified.

I think I see where you're coming from here. I don't really think the 
two items you've called out here are necessarily in conflict (see John 
Panzer's reply) but once you bring "Allow, but do not require, users to 
attach a handle or name to their identity" into the equation it's a bit 
ambiguous, because that recommendation states that *the* (singular) 
OpenID identifer should be displayed alongside the non-unique display name.

Jyte handles this by asking the user to select a primary identifier as 
you say. However, you're right that if this is not handled carefully 
problems could arise if a different identifier is switched to primary 
later. I'm not sure what effect that has on Jyte today, but I think Jyte 
is in some ways a model for many of these "Brilliant" requirements.

More information about the general mailing list