[OpenID] Relying Party Best Practices
Mark Fowler
mark at twoshortplanks.com
Fri Mar 9 10:07:23 UTC 2007
On 9 Mar 2007, at 00:55, Karl Anderson wrote:
> Assuming that URLs to Jyte content don't change, this meant at one
> time that if a user changed his identity URL, information linking
> content to that OpenID was lost - I removed one of my identity URLs
> from the site and claims that used to be about me weren't associated
> with my user anymore until I put it back.
On the other hand, due to having Jyte claims refer to an OpenID they
are universal - they're useful outside Jyte. If you instead make
claims about a username this becomes a lot less useful because they
change between sites, etc. You're making a claim about a URI, which
means you can...well...universally identify that resource. Also, I
can use Jyte to make claims about people who have an openid who have
_*never* *used* *Jyte*
> Consider the perverse case where example.org gets sold a few times to
> people who use it to log into Jyte,
Er, if you sell your OpenID then you're selling your identity. Don't
do that unless you really want someone else to be able to claim
they're you.
Mark.
More information about the general
mailing list