[OpenID] Relying Party Best Practices

ydnar ydnar at shaderlab.com
Fri Mar 9 19:44:48 UTC 2007


This isn’t a new problem. The web is full of stale links to sites  
that are dead or have changed hands. Having a pairwise assertion with  
an ID would only prevent the user who inherited the URL from  
asserting control over accounts on sites the previous owner had.

Randy


On Mar 9, 2007, at 10:35 AM, Martin Atkins wrote:

> ydnar wrote:
>> Is it possible for an provider to essentially reject any previous
>> external site’s assertions about a URI under its control?
>>
>> If the consumer stored the reference with another opaque identifier,
>> for instance the numeric user ID or another unique string you could
>> have reusable URIs. The pair of [URI, ID] would identify the
>> particular URI + "owner" for assertions.
>>
>> If dcorbin.foo.com was recycled and given to another user, the pair
>> would change from [dcorbin.foo.com, 1] to [dcorbin.foo.com, 2] which
>> would trigger reauthentication (assertion).
>>
>> Would this suffice?
>>
>
> This is possible. This is, in fact, basically how i-names work: the
> i-name references an i-number, and the i-numbers are guaranteed  
> never to
> be reused.
>
> The difference is that in this case the "other opaque identifier" is
> identifier-local rather than global. Most sites would use some
> transformation of their numeric primary key for this, I guess.
>
> I like this idea, but it does raise the question of how to  
> disambiguate
> the different "versions" of a particular identifier across sites.  
> Sites
> are unlikely to want to put "Posted By Martin Atkins
> [mart.degeneration.co.uk,1]" in their UIs. This concern exists for
> i-names as well... as soon as your data outlives your displayed
> identifier, you've got problems.
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general




More information about the general mailing list