[OpenID] Relying Party Best Practices

John Panzer jpanzer at aol.net
Fri Mar 9 18:03:00 UTC 2007


A theoretical best web practice is to first make an old URL redirect to 
the new one for a period of time with a 301 Permanent Redirect, followed 
by (ideally) a 410 Gone Permanently response for another period of time 
prior to recycling it.

If an RP sees a 301 redirect for an OpenID URL it already 'knows', after 
login should it ask the user if they want to change their old OpenID to 
the new one?  If an RP sees a 410 response, perhaps it should mark the 
account as dead.  And if an RP doesn't see a login for 2 years, perhaps 
it should flag the account as stale.

DNS does not guarantee persistence and domain names can be re-used, 
certainly over a time span of years.  It's not possible to guarantee "no 
reuse" if you're built on top of DNS.   This type of id is helpful, but 
stochastic.

-John

Coderre, Mark wrote:

>The chance for id's referenced for access control to be "re-used" EVER
>makes the id ambiguous and not helpful when securing private data for
>that consumer.  
>
>-----Original Message-----
>From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
>Behalf Of David Corbin
>Sent: Friday, March 09, 2007 7:21 AM
>To: general at openid.net
>Subject: Re: [OpenID] Relying Party Best Practices
>
>On Friday 09 March 2007 05:07, Mark Fowler wrote:
>  
>
>>On 9 Mar 2007, at 00:55, Karl Anderson wrote:
>>    
>>
>>>Consider the perverse case where example.org gets sold a few times 
>>>to people who use it to log into Jyte,
>>>      
>>>
>>Er, if you sell your OpenID then you're selling your identity.  Don't 
>>do that unless you really want someone else to be able to claim 
>>they're you.
>>    
>>
>
>This places on an obligation on IPs to NEVER re-use userIds then,
>doesn't it? 
>I haven't seen this mentioned anywhere, and is also a down side to using
>delegation (unless you own the domain and will forever, even after your
>dead). 
>
>Suppose I blog at foo.com, so I use http://dcorbin.foo.com as my openId
>(which delegates the authentication to my IP).  Now I choose to move my
>blog over to bar.com, because I like their blogging software better.  I
>can reasonably expect foo.com to never re-use my ID for a year or two,
>but eventually I expect it to be recycled.
>
>  
>


-- 

Abstractioneer <http://feeds.feedburner.com/aol/SzHO>John Panzer
System Architect
http://abstractioneer.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070309/39855933/attachment-0002.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SzHO.gif
Type: image/gif
Size: 8076 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070309/39855933/attachment-0002.gif>


More information about the general mailing list