[OpenID] Relying Party Best Practices

Martin Atkins mart at degeneration.co.uk
Fri Mar 9 18:35:34 UTC 2007

ydnar wrote:
> Is it possible for an provider to essentially reject any previous  
> external site’s assertions about a URI under its control?
> If the consumer stored the reference with another opaque identifier,  
> for instance the numeric user ID or another unique string you could  
> have reusable URIs. The pair of [URI, ID] would identify the  
> particular URI + "owner" for assertions.
> If dcorbin.foo.com was recycled and given to another user, the pair  
> would change from [dcorbin.foo.com, 1] to [dcorbin.foo.com, 2] which  
> would trigger reauthentication (assertion).
> Would this suffice?

This is possible. This is, in fact, basically how i-names work: the 
i-name references an i-number, and the i-numbers are guaranteed never to 
be reused.

The difference is that in this case the "other opaque identifier" is 
identifier-local rather than global. Most sites would use some 
transformation of their numeric primary key for this, I guess.

I like this idea, but it does raise the question of how to disambiguate 
the different "versions" of a particular identifier across sites. Sites 
are unlikely to want to put "Posted By Martin Atkins 
[mart.degeneration.co.uk,1]" in their UIs. This concern exists for 
i-names as well... as soon as your data outlives your displayed 
identifier, you've got problems.

More information about the general mailing list