[OpenID] Relying Party Best Practices

Karl Anderson kra at monkey.org
Mon Mar 12 00:14:55 UTC 2007


Martin Atkins <mart at degeneration.co.uk> writes:

> Karl Anderson wrote:
>> 
>> That's a good point, but it contradicts the Would Be Nice practice of
>> allowing users to change their identifier.   I think that's more
>> important - remember, users should be able to preserve their identity
>> if they switch providers.
>
> Users should be able to preserve their *accounts* if they change 
> identifiers, but they can't preserve their "reputation". Just as if I 
> change my name by deed poll lots of my existing relationships will 
> become invalid, changing my OpenID identifier necessarily damages my 
> existing relationships and reputation.

I don't think that this is necessary (and it would be nice if I could
damage my relationship between myself and some of my creditors by
changing my name ;)

I see your point, and I recognize that there are two conflicting needs
here - identity discovery vs. identity provider dependence.  Treating
an OpenID identifier as content (by, for example, letting a user's
action cause an identity URL to not show up anymore) lets the user
change identity providers (or survive having a provider go bad).
Treating it as a persistent handle (by, for example, putting it in a
URL or using it as a username) lets the identity be discovered even if
account host goes bad - it could be followed from a cached document,
or a quoted excerpt, or something similar.

I think that not requiring identity provider dependence is more central
to OpenID.

> Currently the "solution" to this problem is sites like ClaimID which 
> allow people to draw together all of their identifiers and other contact 
> points. Anyone who trusts ClaimID can use it to verify that indeed I'm 
> both =mart and mart.degeneration.co.uk if I tell them my 
> ClaimID-provided identifier.

Sure, but you're pointing out here that ClaimID is a RP (as well as an
IdP), and that it's treating your OpenID URLs as content when it's
acting as an RP, right?  ClaimID can tell me that you can be
identified with those two URLs, but I can still find you if they
change, so long as you keep your ClaimID handle.

In any case, that's a good point - best practices for an RP may depend
on services provided by other RPs.

-- 
Karl Anderson      kra at monkey.org      http://monkey.org/~kra/



More information about the general mailing list