[OpenID] Reuse of expired identities?
Simon Willison
simon at simonwillison.net
Mon Aug 13 10:14:01 UTC 2007
On 8/12/07, Richard Hartmann <richih.mailinglist at gmail.com> wrote:
> my question might be a bit unusual, but it is serious nonetheless.
>
> Suppose there is a OpenID identity. This identity expires and, after
> some time, another account of the same name is created.
I'll offer my standard reply: this is of concern, but it is not a new
problem that is introduced by OpenID. E-mail addresses already suffer
from identifier recycling, and are already used for an extremely
common form of SSO (forgotten password links). Despite the existence
of identifier recycling in e-mail addresses nothing terrible has
happened relating to forgotten password links and recycled accounts
(unless anyone can demonstrate otherwise?)
It's a problem, but it's probably not as bad as people think it is.
More information about the general
mailing list