XRI canonical id question
Martin Atkins
mart at degeneration.co.uk
Tue Oct 10 17:23:40 UTC 2006
Johannes Ernst wrote:
> Drummond:
>
> The current auth draft says in section 11.4:
> If the Verified Identifier is an XRI, the discovered CanonicalID
> field from the XRD SHOULD be used as a key for local storage of
> information about the End User.
>
> Is there ever a scenario where the identifier is disassociated from the
> CanonicalID? I was wondering whether there is a potential security hole?
>
> [I simply don't know, so I'm asking you ;-) ]
>
>
I'm pretty sure that "i-numbers" are never re-assigned. That's a pretty
fundamental design principle for XRI, as I understand it.
RPs should ideally be displaying the entered i-name but using the
i-number as the primary key. Of course, this does have the possibility
that in future the display name may be wrong, but since the RP should be
storing both it will be able to detect during auth that the two have
become detached and create a new conceptual user, probably
disassociating the i-name from the old one in the process.
This does pose a problem to humans in that the RP will be displaying an
incorrect i-name until the new owner tries to authenticate with the same
RP, which may never happen.
More information about the specs
mailing list