[OpenID] Reuse of expired identities?
John Panzer
jpanzeracm at johnpanzer.com
Mon Aug 13 01:42:42 UTC 2007
Eric Norman wrote:
> On Aug 12, 2007, at 10:07 AM, Peter Williams wrote:
>
>
>> URLs are DNS-based. When URLs are used as persistent identifiers,
>>the expiration of domain names allows someone who buys a domain name
>>to assume any identities that are tied to that domain name.
>
>
> I don't think this is quite accurate. It allows someone else to
> "own" the identifier, sure. But that doesn't mean they can assume
> your identities unless (1) the URL still resolves to your OP, and
> (2) the new owner can prove that they now control that linkage.
>
> I think what it really boils down to is whether or not the new
> URL owner can obtain control of the old OP or obtain a copy of
> its contents.
As I understand it, OpenID 2.0 has a proposal to solve the accidental
reuse problem (by allowing for a non-user-visible URL fragment appended
to the 'real' identifier; said fragment tells an RP which revision of
http://bob.example.com they're seeing today as opposed to last year).
This does not address malicious reuse of course but the use case there
is for large OPs (Yahoo, AOL, etc.) that need to recycle identifiers.
-John
More information about the general
mailing list