[OpenID] Relying Party Best Practices
kra at monkey.org
Fri Mar 9 19:02:29 UTC 2007
David Corbin <dcorbin at machturtle.com> writes:
> On Friday 09 March 2007 05:07, Mark Fowler wrote:
>> On 9 Mar 2007, at 00:55, Karl Anderson wrote:
>> > Consider the perverse case where example.org gets sold a few times to
>> > people who use it to log into Jyte,
>> Er, if you sell your OpenID then you're selling your identity. Don't
>> do that unless you really want someone else to be able to claim
>> they're you.
> This places on an obligation on IPs to NEVER re-use userIds then, doesn't it?
I don't think an Identity Provider is responsible for anything other
than authentication (but I haven't absorbed yadis or other discovery
extensions, so I could be wrong). If you've lost the control over who
authenticates with an identity URL, and you haven't told a Relying
Party that that URL shouldn't be used to authenticate you anymore,
you've lost control of your identity with that Relying Party.
And getting back to Relying Party best practices, I think that it is
the RPs responsibilty to let the user switch IPs - remember, users
shouldn't be tied to an IP.
Karl Anderson kra at monkey.org http://monkey.org/~kra/
More information about the general