[OpenID] Using Account Creation Date to preempt recycleable OpenID's in v.next

John Bradley ve7jtb at ve7jtb.com
Thu Dec 3 12:50:25 UTC 2009 

Most URI schemes support fragments.    I am guessing that acct: could support fragments.

Are you planning on registering the scheme?  

Are you thinking that Acct: will be used only for meta-data lookup, or for the claimed_id as well.

By changing account recycling detection to be a separate parameter we are creating a significant breaking change that effects applications account logic as well as the openID library.

I think openID's use of fragment is compatible with semantic web's use.
Though that is more coincidence than design.

https://ve7jtb.startssl.com/#123  becomes a identifier for me rather than the profile page.

We need to carefully consider things that may be breaking changes.  

Another issue we need to address is migrating people from http: identifiers at RP.

With RP's normalizing to http: and OP's not redirecting to the https version we are providing much lower security to people than we could be.

Perhaps moving people to Acct: type identifiers where discovery is more secure, is part of the solution.

However we do have a real problem with the installed base.

John B.
On 2009-12-03, at 12:45 AM, John Panzer wrote:

> #1 is an extremely good point.  'Acct:' Webfinger identifiers do not
> currently allow fragments for example.
> 
> On Wednesday, December 2, 2009, Santosh Rajan <santrajan at gmail.com> wrote:
>> Oops resending to specs.
>> 
>> On Thu, Dec 3, 2009 at 8:07 AM, Santosh Rajan <santrajan at gmail.com> wrote:
>> 
>> Hi Allen,
>> It is just that i thought using fragments are less than optimal for recycled accounts.1) If we are looking at OpenID's as more than just http URI's, possibly any other URI, this could complicate matters.
>> 
>> 2) Unfortunately fragments just don't look good when printed.3) Also the usage of fragments in OpenID does not reflect the true meaning of fragments. Fragments are used to denote different avatars of the "same entity", as in the semantic web. Or different parts of the same document as in html usage. However for OpenID we are using fragments to denote an entirely different entity, an new recycled account.
>> 
>> 
>> If there are privacy concerns for using the account creation date i am open to using some thing else instead. But the idea was to avoid fragments by adding an extra parameter in the protocol, rather than in AX.
>> 
>> 
>> 
>> On Thu, Dec 3, 2009 at 1:04 AM, Allen Tom <atom at yahoo-inc.com> wrote:
>> 
>> 
>> 
>> 
>> 
>> 
>> Hi Santosh,
>> 
>> Section 11.5.1 in the OpenID 2.0 spec specifically mentions using fragments to differentiate between different users in the event that the OpenID URL is recycled.
>> 
>> http://openid.net/specs/openid-authentication-2_0.html#identifying
>> 
>> Large identity providers often try to free up desirable userids by recycling ids that are inactive.
>> 
>> I do agree that account creation date is very useful to RPs, and several RPs have asked us to make the user’s account creation date available via Attribute Exchange. RPs that ask for this are usually interested in using the account’s tenure for anti-abuse purposes. The Yahoo OP will be making the account creation date available via AX early next year.  Hopefully we can have a standard schema for this.
>> 
>> 
>> Allen
>> 
>> 
>> 
>> On 12/1/09 8:32 PM, "Santosh Rajan" <santrajan at gmail.com> wrote:
>> 
>> I would like to first of all, apologies to all members of the community, for having made comments that has caused distress on this list. My apologies to all members.
>> 
>> 
>> I am not aware if the idea of using account creation dates to preempt recycleable identifiers has been considered before, and i thought it might be a cheap way to preempt the problem, and worth looking into.
>> 
>> All accounts have a logical creation date, a time stamp that in combination with an account identifier will be universally unique. I think all providers save this time stamp (or atleast the creation date) when the account is created. Let us call this timestamp the "account timestamp". This timestamp does not change through the life cycle of the identifier, and only changes when a new account is created with the same identifier (recycled).
>> 
>> 1) All OP's can return the account timestamp as an extra parameter with every authentication response.
>> 2) Every time a user logs in at an RP, the RP can verify that the timestamp has not changed.
>> 3) If the timestamp has changed, it means that this a recycled identifier, and this is a new user.
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> --
>> http://hi.im/santosh
>> 
>> 
>> 
>> 
>> 
>> --
>> http://hi.im/santosh
>> 
>> 
>> 
> 
> -- 
> --
> John Panzer / Google
> jpanzer at google.com / abstractioneer.org / @jpanzer
> _______________________________________________
> specs mailing list
> specs at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2468 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs/attachments/20091203/8fabe907/attachment.bin>

More information about the specs mailing list