[OpenID] Relying Party Best Practices

David Corbin dcorbin at machturtle.com
Fri Mar 9 12:20:48 UTC 2007

On Friday 09 March 2007 05:07, Mark Fowler wrote:
> On 9 Mar 2007, at 00:55, Karl Anderson wrote:
> > Consider the perverse case where example.org gets sold a few times to
> > people who use it to log into Jyte,
> Er, if you sell your OpenID then you're selling your identity.  Don't
> do that unless you really want someone else to be able to claim
> they're you.

This places on an obligation on IPs to NEVER re-use userIds then, doesn't it? 
I haven't seen this mentioned anywhere, and is also a down side to using 
delegation (unless you own the domain and will forever, even after your 

Suppose I blog at foo.com, so I use http://dcorbin.foo.com as my openId (which 
delegates the authentication to my IP).  Now I choose to move my blog over to 
bar.com, because I like their blogging software better.  I can reasonably 
expect foo.com to never re-use my ID for a year or two, but eventually I 
expect it to be recycled.

David Corbin
Games, Gamers, Gaming - a blog - http://g3.machturtle.com

More information about the general mailing list