Proposal for Recycling Identifiers in OpenID 2.0

John Panzer jpanzer at aol.net
Mon May 14 18:55:22 UTC 2007 

Johannes Ernst wrote:
> On May 14, 2007, at 9:12, Dick Hardt wrote:
>
>   
>> The issue you bring up is a separate issue then the motivation for
>> recycling identifiers by large OPs.
>>     
>
> What I'm saying is a superset of the issue discussed so far that  
> ought to use the same technical solution because the problem is the  
> same: "X used identifier Y, and now Z controls Y. What now?"
>
>
>   
>> Your point is how does a user transfer from one identifier to another.
>>     
>
> While related, that's not the issue I was talking about.
>
> But you are right in that all of those problems should be solved at  
> the same time.
>
>   
>> The issue at hand is the scarcity of namespace.
>>
>> -- Dick
>>     
Absolutely. :)

Can some of these issues be solved via best practices?  For example:

RP:
1. If you ever get a 410 Gone response from identifier Y, immediately 
decouple X from Y -- mark account as inactive at least.
2. Try to ping known accounts for 410's at least once a year.  If you 
see one, go to step #1.
3. If no ping, and no login from Y for over a year, treat account as 
inactive when Y attempts to log in again.
4. Inactive accounts require out of band procedures for recovering data 
or transferring to a new OpenID identifier (equivalent to password reset).

And on the provider side:
OP:
1. When you deactivate an account, make the OpenID return 410 Gone for a 
minimum of two years.
2. Notify customers that they must transfer or shut down all services 
using the identifier before the de-activation.
3. Recycle identifiers only after the full two year period has elapsed.

Also, we may want to consider:
RP:
1. When you see a 301 Permanently Moved response for Y, follow it and 
update your local identifier keys.(*)

OP:
1. When a customer wants to transfer identifiers, use a 301 Permanently 
Moved response for the old identifier for a minimum of one year.
2. After one year, respond with 410 Permanently Gone for a minimum of 
one year.

These are straw men, feel free to knock them down.

(*) May conflict with other forces, such as SEO.


-- 
Abstractioneer <http://feeds.feedburner.com/aol/SzHO>John Panzer
System Architect
http://abstractioneer.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20070514/4e141710/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: SzHO.gif
Type: image/gif
Size: 7701 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20070514/4e141710/attachment-0002.gif>

More information about the specs mailing list