[OpenID] Relying Party Best Practices
Coderre, Mark
CoderreM at aetna.com
Fri Mar 9 13:14:37 UTC 2007
The chance for id's referenced for access control to be "re-used" EVER
makes the id ambiguous and not helpful when securing private data for
that consumer.
-----Original Message-----
From: general-bounces at openid.net [mailto:general-bounces at openid.net] On
Behalf Of David Corbin
Sent: Friday, March 09, 2007 7:21 AM
To: general at openid.net
Subject: Re: [OpenID] Relying Party Best Practices
On Friday 09 March 2007 05:07, Mark Fowler wrote:
> On 9 Mar 2007, at 00:55, Karl Anderson wrote:
> > Consider the perverse case where example.org gets sold a few times
> > to people who use it to log into Jyte,
>
> Er, if you sell your OpenID then you're selling your identity. Don't
> do that unless you really want someone else to be able to claim
> they're you.
This places on an obligation on IPs to NEVER re-use userIds then,
doesn't it?
I haven't seen this mentioned anywhere, and is also a down side to using
delegation (unless you own the domain and will forever, even after your
dead).
Suppose I blog at foo.com, so I use http://dcorbin.foo.com as my openId
(which delegates the authentication to my IP). Now I choose to move my
blog over to bar.com, because I like their blogging software better. I
can reasonably expect foo.com to never re-use my ID for a year or two,
but eventually I expect it to be recycled.
--
David Corbin
Games, Gamers, Gaming - a blog - http://g3.machturtle.com
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
-----------------------------------------
This e-mail may contain confidential or privileged information. If
you think you have received this e-mail in error, please advise the
sender by reply e-mail and then delete this e-mail immediately.
Thank you. Aetna
More information about the general
mailing list