No subject

you verify that a partiular person using a webbrowser is associated with =
a paricular URL.  This is very much like sending a email with a secret =
to an email address can be used to verify that someone owns an address.  =
If I get control of an OpenID, much the same way that if I get control =
of an email address, as far as most services out there are concerned I =
*am* that person and I have all the rights associated with them.  This =
is the inherent weakness in OpenID (and email) verification, but is the =
thing that makes it scalable and, well, open.
</teach>

So we have is the situation where if a domain is taken over then the =
person who now runs the domain can assume all the identities of the =
OpenID URLs under that domain.  There's very little we can do about =
that.  But what about the situation where a domain isn't taken over?  =
What if there's a situation where a OpenID URL itself is taken over but =
the domain remains in the original controller's hands (e.g. when someone =
signs up for an account using a recycled username?)

In this situation we've potentially got someone like AOL or some other =
trusted party still running the domain (and presumably, controlling what =
goes on the pages.)  Wouldn't it be nice to provide them with some way =
of indicating that the person who is now associating with this OpenID =
URL is not the same person who originally associated with this URL?=20

This could be as simple as adding another tag into the HTML for the =
OpenID to indicate when they signed up

<link rel=3D"openid.server" =
href=3D"http://www.livejournal.com/openid/server.bml">
<link rel=3D"openid.delegate"  =
href=3D"http://2shortplanks.livejournal.com =
<http://2shortplanks.livejournal.com/> /">
<link rel=3D"openid.timestamp" =
href=3D"http://www.openid.net/timestamps/1191140090">

So, this means that when a consumer first associates someone with an =
OpenID URL they can also (optionally) record the timestamp (if present.) =
 As long as the OpenID URL contains the same timestamp the consumer =
knows that the account hasn't been recycled and it can continue to trust =
the OpenID URL.  But as soon as that timestamp changes, they know that =
the OpenID is no longer under the control of the original user and they =
can stop trusting it.

Of course, this proposal doesn't do anything about the fact that OpenIDs =
are also used as unique identifiers for people (e.g. Jyte.)  If someone =
makes an assertion against someone who controls an openid and the person =
controlling that openid changes then the assertion is now being made =
about the wrong person.  This sucks, but the only solution I can see to =
this is saying "OpenIDs are never, ever, going to be reused" which while =
a wonderful idea, probably isn't going to happen.  At least my =
suggestion doesn't make this any worse.

Comments?  Suggestions?  Warnocking?

Mark.