[OpenID] Reuse of expired identities?

Peter Williams pwilliams at rapattoni.com
Sun Aug 12 15:07:16 UTC 2007 

Your question is not unusual, but mature. It pertains to: 

		1. how to provision OpenIDs, 

		2. how to manage the lifecycle of OpenIDs, 

		3. how to rely upon security infrastructures upon which a persistent OpenID may be dependent. 

You might start by analyzing the logic of the following failure analysis, posted at http://openid.net/wiki/index.php/OpenIDChanges#XRI_Support.

		"XRI is a new Internet-wide identifier scheme that mixes well with URIs and is designed to be more user-friendly. 

		[edit <https://webmail.rapattoni.com/wiki/index.php?title=OpenIDChanges&action=edit&section=3> ]
		

		Motivating Use Cases 


		URLs are DNS-based. When URLs are used as persistent identifiers, the expiration of domain names allows someone who buys a domain name to assume any identities that are tied to that domain name. XRI has protection against this kind of failure. 

		[edit <https://webmail.rapattoni.com/wiki/index.php?title=OpenIDChanges&action=edit&section=4> ]
		

		Proposed Implementation 


		The discovery phase of OpenID authentication now includes XRI resolution as a mechanism for obtaining the IdP Endpoint URL and OpenID delegate identifier, instead of the HTML-based discovery from OpenID 1.X. Since XRI resolution libraries are not yet commonly deployed, a proxy XRI resolver is available to OpenID relying parties to ease deployment. 

		[edit <https://webmail.rapattoni.com/wiki/index.php?title=OpenIDChanges&action=edit&section=5> ]
		

		See Also 


		http://en.wikipedia.org/wiki/I-name 

		http://inames.net/ "

Personally, I'm still struggling to follow the above, or the implied argument delegating any and all countermeasures to the provisioning/lifecycle/dependency management functions of XRIs, speaking technically. However, I recognize my ignorance (I got sidetracked by carefully following the signed FOAF thread, since it addresses my other need to strongly type attributes being exchanged and qualify the assurance level of OP agents). I'm still trying by trying to comprehend the detailed security enforcing functions (and lifecycle management functions) performed by XRI-complying systems, or a proxy XRI resolver. Its proving hard to get at, via open source mechanisms. There is no obvious place where the ins, outs, and buts are discussed, to reveal the _inside_ story, the patent issues, and how IP issues are being managed by the vendor community.
 
For now, I've decided to have my own OpenID1.1ish experiment punt on those issues, and simply delegate issue management to the experiment's backend SAML2 "name-federation" group of features (account linking). This is a stopgap measure only, taking the persistent pseudonym that SAML handoff manages and post fixing it to the URL being "provisioned" (http://peter/#ABCDEFGH...) for use in OP-initiated OpenID Auth.  It solves the problem of understanding (since I understand well how SAML2 addresses the issues), but this is obviously not a "native" OpenID solution. 
 
 
 
________________________________

From: general-bounces at openid.net on behalf of Richard Hartmann
Sent: Sat 8/11/2007 7:02 PM
To: general at openid.net
Subject: [OpenID] Reuse of expired identities?



Hi all,


my question might be a bit unusual, but it is serious nonetheless.

Suppose there is a OpenID identity. This identity expires and, after
some time, another account of the same name is created.

What happens in this case? Are there are provisions to determine
which account was used to identify for any service? Is any such
mechanism planned?

One obvious fix would be to modify the URI for the account, but that
can possibly introduce new problems.
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general

More information about the general mailing list