[OpenID] Relying Party Best Practices

[Karl Anderson]

Mark Fowler <mark at twoshortplanks.com> writes:

> On 9 Mar 2007, at 00:55, Karl Anderson wrote:
>
>> Assuming that URLs to Jyte content don't change, this meant at one
>> time that if a user changed his identity URL, information linking
>> content to that OpenID was lost - I removed one of my identity URLs
>> from the site and claims that used to be about me weren't associated
>> with my user anymore until I put it back.
>
> On the other hand, due to having Jyte claims refer to an OpenID they  
> are universal - they're useful outside Jyte.  If you instead make  
> claims about a username this becomes a lot less useful because they  
> change between sites, etc.  You're making a claim about a URI, which  
> means you can...well...universally identify that resource.  Also, I  
> can use Jyte to make claims about people who have an openid who have  
> _*never* *used* *Jyte*

That's a good point, but it contradicts the Would Be Nice practice of
allowing users to change their identifier.   I think that's more
important - remember, users should be able to preserve their identity
if they switch providers.

>> Consider the perverse case where example.org gets sold a few times to
>> people who use it to log into Jyte,
>
> Er, if you sell your OpenID then you're selling your identity.  Don't  
> do that unless you really want someone else to be able to claim  
> they're you.

No, I wouldn't be selling an OpenID, I'd be selling an URL.  I
wouldn't want to lose a URL used as an OpenID identifier without first
disassociating it from any of my identities.  Conversely, I can't stop
kra.myopenid.com from being taken from me - that's why Relying Parties
need to let users be flexible.

To my knowledge, OpenID doesn't stop anyone from claiming to be you,
it keeps them from authenticating as you to Relying Parties.  A rogue
site could say "example.org added this content", and OpenId doesn't
prevent that.

-- 
Karl Anderson      kra at monkey.org      http://monkey.org/~kra/