[OpenID] Relying Party Best Practices
ydnar at shaderlab.com
Fri Mar 9 16:19:48 UTC 2007
Is it possible for an provider to essentially reject any previous
external site’s assertions about a URI under its control?
If the consumer stored the reference with another opaque identifier,
for instance the numeric user ID or another unique string you could
have reusable URIs. The pair of [URI, ID] would identify the
particular URI + "owner" for assertions.
If dcorbin.foo.com was recycled and given to another user, the pair
would change from [dcorbin.foo.com, 1] to [dcorbin.foo.com, 2] which
would trigger reauthentication (assertion).
Would this suffice?
On Mar 9, 2007, at 4:20 AM, David Corbin wrote:
> On Friday 09 March 2007 05:07, Mark Fowler wrote:
>> On 9 Mar 2007, at 00:55, Karl Anderson wrote:
>>> Consider the perverse case where example.org gets sold a few
>>> times to
>>> people who use it to log into Jyte,
>> Er, if you sell your OpenID then you're selling your identity. Don't
>> do that unless you really want someone else to be able to claim
>> they're you.
> This places on an obligation on IPs to NEVER re-use userIds then,
> doesn't it?
> I haven't seen this mentioned anywhere, and is also a down side to
> delegation (unless you own the domain and will forever, even after
> Suppose I blog at foo.com, so I use http://dcorbin.foo.com as my
> openId (which
> delegates the authentication to my IP). Now I choose to move my
> blog over to
> bar.com, because I like their blogging software better. I can
> expect foo.com to never re-use my ID for a year or two, but
> eventually I
> expect it to be recycled.
> David Corbin
> Games, Gamers, Gaming - a blog - http://g3.machturtle.com
> general mailing list
> general at openid.net
More information about the general