[OpenID] Relying Party Best Practices
David Corbin
dcorbin at machturtle.com
Fri Mar 9 12:20:48 UTC 2007
On Friday 09 March 2007 05:07, Mark Fowler wrote:
> On 9 Mar 2007, at 00:55, Karl Anderson wrote:
> > Consider the perverse case where example.org gets sold a few times to
> > people who use it to log into Jyte,
>
> Er, if you sell your OpenID then you're selling your identity. Don't
> do that unless you really want someone else to be able to claim
> they're you.
This places on an obligation on IPs to NEVER re-use userIds then, doesn't it?
I haven't seen this mentioned anywhere, and is also a down side to using
delegation (unless you own the domain and will forever, even after your
dead).
Suppose I blog at foo.com, so I use http://dcorbin.foo.com as my openId (which
delegates the authentication to my IP). Now I choose to move my blog over to
bar.com, because I like their blogging software better. I can reasonably
expect foo.com to never re-use my ID for a year or two, but eventually I
expect it to be recycled.
--
David Corbin
Games, Gamers, Gaming - a blog - http://g3.machturtle.com
More information about the general
mailing list