[OpenID] Reuse of expired identities?

Peter Williams pwilliams at rapattoni.com
Tue Aug 14 02:13:32 UTC 2007 

I could not resist playing some more with the Janrain OpenID code. Its so much fun :-) Tho, I had not realized from the draft OpenID 2.0 spec that, if the behavior of the JanRain c# consumer is conforming, a non-exceptional run of the YADIS protocol means that any OpenID delegation metadata signaled in the HTML SHALL be ignored.
 
Anyways, upon disabling the XRDS metadata link, the JanRain consumer finally picked up the user's delegation policy-signal and applied the associated delegation value when creating the checkid challenge it indicated to the server via the OpenID Auth protocol.
 
Challenged by the consumer to now prove control over the delegate (pseudo-nomic) OpenID previously provisioned to this user by the users selected SAML-IDP (and distributed to all members of the SP-affiliation group opting to relying on this gateway to commonly name/provision OpenID users), I decided to change the server/gateway code so it would refuse to indicate a positive checkid response -- when the OpenID value re-tested via the trusted SAML federation does not match that indicated in the challenge.
 
(1) Is there an open source project anywhere for .Net that maintains RDF resources in some kind of robust server-side datastructure, and can take in and spit out N3 serialization of RDF files on request?
 
(2) Does anyone now have values for a working XRI scenario that they can send me, so I can make some trials against the XRI proxy? I'm hoping the JanRain c# consumer can use the proxy if now type in some XRI nameform at the login prompt.

________________________________

From: Peter Williams
Sent: Sun 8/12/2007 7:21 PM
To: jpanzer at acm.org; Eric Norman
Cc: OpenID List
Subject: RE: [OpenID] Reuse of expired identities?


I've been playing, all afternoon, on the very topic of identifier provisioning. 

		As I understand it, OpenID 2.0 has a proposal to solve the accidental
		reuse problem (by allowing for a non-user-visible URL fragment appended
		to the 'real' identifier; said fragment tells an RP which revision of
		http://bob.example.com <http://bob.example.com/>  they're seeing today as opposed to last year).
		This does not address malicious reuse of course but the use case there
		is for large OPs (Yahoo, AOL, etc.) that need to recycle identifiers.
		
		-John

More information about the general mailing list