[OpenID] Reuse of expired identities?
Johnny Bufu
johnny at sxip.com
Mon Aug 13 07:44:54 UTC 2007
On 12-Aug-07, at 6:42 PM, John Panzer wrote:
> As I understand it, OpenID 2.0 has a proposal to solve the accidental
> reuse problem (by allowing for a non-user-visible URL fragment
> appended
> to the 'real' identifier; said fragment tells an RP which revision of
> http://bob.example.com they're seeing today as opposed to last year).
> This does not address malicious reuse of course but the use case there
> is for large OPs (Yahoo, AOL, etc.) that need to recycle identifiers.
Yes, that's what we have. Possible solutions were discussed at IIW,
but none of them really addressed the "lost domain" use case. Josh
wrote a summary here (see use case #5):
http://openid.net/wiki/index.php/Identifier_Recycling
Until it gets published, you can see the 'identifier recycling' patch
in SVN:
http://openid.net/svn/diff.php?repname=specifications&path=%
2Fauthentication%2F2.0%2Ftrunk%2Fopenid-authentication.xml&rev=341&sc=1
And explained here:
http://openid.net/svn/diff.php?repname=specifications&path=%
2Fauthentication%2F2.0%2Ftrunk%2Fopenid-authentication.xml&rev=350&sc=1
Johnny
More information about the general
mailing list