[OpenID] Relying Party Best Practices

Mark Fowler mark at twoshortplanks.com
Fri Mar 9 10:07:23 UTC 2007


On 9 Mar 2007, at 00:55, Karl Anderson wrote:

> Assuming that URLs to Jyte content don't change, this meant at one
> time that if a user changed his identity URL, information linking
> content to that OpenID was lost - I removed one of my identity URLs
> from the site and claims that used to be about me weren't associated
> with my user anymore until I put it back.

On the other hand, due to having Jyte claims refer to an OpenID they  
are universal - they're useful outside Jyte.  If you instead make  
claims about a username this becomes a lot less useful because they  
change between sites, etc.  You're making a claim about a URI, which  
means you can...well...universally identify that resource.  Also, I  
can use Jyte to make claims about people who have an openid who have  
_*never* *used* *Jyte*

> Consider the perverse case where example.org gets sold a few times to
> people who use it to log into Jyte,

Er, if you sell your OpenID then you're selling your identity.  Don't  
do that unless you really want someone else to be able to claim  
they're you.

Mark.





More information about the general mailing list