[OpenID] Reuse of expired identities?
Johnny Bufu
johnny at sxip.com
Mon Aug 13 07:33:18 UTC 2007
On 12-Aug-07, at 3:07 PM, Eric Norman wrote:
>
> On Aug 12, 2007, at 10:07 AM, Peter Williams wrote:
>
>> URLs are DNS-based. When URLs are used as persistent identifiers,
>> the expiration of domain names allows someone who buys a domain name
>> to assume any identities that are tied to that domain name.
>
> I don't think this is quite accurate. It allows someone else to
> "own" the identifier, sure. But that doesn't mean they can assume
> your identities unless (1) the URL still resolves to your OP
No, that is not a requirement; the new owner of the URL can point it
to a new OP and it will work fine -- assuming the identity
(claimed_id) of the previous owner.
> and
> (2) the new owner can prove that they now control that linkage.
This is proved by setting up the discovery for the URL (either HTML
or Yadis). If the new owner controls the URL, it can set these up and
therefore also control the OpenID identifier / identities associated
with that URL.
> I think what it really boils down to is whether or not the new
> URL owner can obtain control of the old OP or obtain a copy of
> its contents.
No, because the new owner is not restricted / required in any way to
use the same / old OP. Any new OP will work -- this is how delegation
allows URL-owners to change their OP without changing their identities.
Johnny
More information about the general
mailing list