[OpenID] Relying Party Best Practices

ydnar ydnar at shaderlab.com
Fri Mar 9 16:19:48 UTC 2007


Is it possible for an provider to essentially reject any previous  
external site’s assertions about a URI under its control?

If the consumer stored the reference with another opaque identifier,  
for instance the numeric user ID or another unique string you could  
have reusable URIs. The pair of [URI, ID] would identify the  
particular URI + "owner" for assertions.

If dcorbin.foo.com was recycled and given to another user, the pair  
would change from [dcorbin.foo.com, 1] to [dcorbin.foo.com, 2] which  
would trigger reauthentication (assertion).

Would this suffice?

Randy


On Mar 9, 2007, at 4:20 AM, David Corbin wrote:

> On Friday 09 March 2007 05:07, Mark Fowler wrote:
>> On 9 Mar 2007, at 00:55, Karl Anderson wrote:
>>> Consider the perverse case where example.org gets sold a few  
>>> times to
>>> people who use it to log into Jyte,
>>
>> Er, if you sell your OpenID then you're selling your identity.  Don't
>> do that unless you really want someone else to be able to claim
>> they're you.
>
> This places on an obligation on IPs to NEVER re-use userIds then,  
> doesn't it?
> I haven't seen this mentioned anywhere, and is also a down side to  
> using
> delegation (unless you own the domain and will forever, even after  
> your
> dead).
>
> Suppose I blog at foo.com, so I use http://dcorbin.foo.com as my  
> openId (which
> delegates the authentication to my IP).  Now I choose to move my  
> blog over to
> bar.com, because I like their blogging software better.  I can  
> reasonably
> expect foo.com to never re-use my ID for a year or two, but  
> eventually I
> expect it to be recycled.
>
> -- 
> David Corbin
> Games, Gamers, Gaming - a blog - http://g3.machturtle.com
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general




More information about the general mailing list