[OpenID] Relying Party Best Practices

Karl Anderson kra at monkey.org
Fri Mar 9 19:02:29 UTC 2007

David Corbin <dcorbin at machturtle.com> writes:

> On Friday 09 March 2007 05:07, Mark Fowler wrote:
>> On 9 Mar 2007, at 00:55, Karl Anderson wrote:
>> > Consider the perverse case where example.org gets sold a few times to
>> > people who use it to log into Jyte,
>> Er, if you sell your OpenID then you're selling your identity.  Don't
>> do that unless you really want someone else to be able to claim
>> they're you.
> This places on an obligation on IPs to NEVER re-use userIds then, doesn't it? 
I don't think an Identity Provider is responsible for anything other
than authentication (but I haven't absorbed yadis or other discovery
extensions, so I could be wrong).  If you've lost the control over who
authenticates with an identity URL, and you haven't told a Relying
Party that that URL shouldn't be used to authenticate you anymore,
you've lost control of your identity with that Relying Party.

And getting back to Relying Party best practices, I think that it is
the RPs responsibilty to let the user switch IPs - remember, users
shouldn't be tied to an IP.

Karl Anderson      kra at monkey.org      http://monkey.org/~kra/

More information about the general mailing list