[OpenID] Relying Party Best Practices

Coderre, Mark CoderreM at aetna.com
Fri Mar 9 13:14:37 UTC 2007


The chance for id's referenced for access control to be "re-used" EVER
makes the id ambiguous and not helpful when securing private data for
that consumer.  

-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of David Corbin
Sent: Friday, March 09, 2007 7:21 AM
To: general at openid.net
Subject: Re: [OpenID] Relying Party Best Practices

On Friday 09 March 2007 05:07, Mark Fowler wrote:
> On 9 Mar 2007, at 00:55, Karl Anderson wrote:
> > Consider the perverse case where example.org gets sold a few times 
> > to people who use it to log into Jyte,
>
> Er, if you sell your OpenID then you're selling your identity.  Don't 
> do that unless you really want someone else to be able to claim 
> they're you.

This places on an obligation on IPs to NEVER re-use userIds then,
doesn't it? 
I haven't seen this mentioned anywhere, and is also a down side to using
delegation (unless you own the domain and will forever, even after your
dead). 

Suppose I blog at foo.com, so I use http://dcorbin.foo.com as my openId
(which delegates the authentication to my IP).  Now I choose to move my
blog over to bar.com, because I like their blogging software better.  I
can reasonably expect foo.com to never re-use my ID for a year or two,
but eventually I expect it to be recycled.

-- 
David Corbin
Games, Gamers, Gaming - a blog - http://g3.machturtle.com
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

-----------------------------------------
This e-mail may contain confidential or privileged information. If
you think you have received this e-mail in error, please advise the
sender by reply e-mail and then delete this e-mail immediately.
Thank you. Aetna




More information about the general mailing list