[OpenID] Relying Party Best Practices

David Corbin dcorbin at machturtle.com
Fri Mar 9 22:33:57 UTC 2007


On Friday 09 March 2007 14:02, Karl Anderson wrote:
> David Corbin <dcorbin at machturtle.com> writes:
> > On Friday 09 March 2007 05:07, Mark Fowler wrote:
> >> On 9 Mar 2007, at 00:55, Karl Anderson wrote:
> >> > Consider the perverse case where example.org gets sold a few times to
> >> > people who use it to log into Jyte,
> >>
> >> Er, if you sell your OpenID then you're selling your identity.  Don't
> >> do that unless you really want someone else to be able to claim
> >> they're you.
> >
> > This places on an obligation on IPs to NEVER re-use userIds then, doesn't
> > it?
>
> I don't think an Identity Provider is responsible for anything other
> than authentication

I meant a moral obligation.

> (but I haven't absorbed yadis or other discovery 
> extensions, so I could be wrong).  If you've lost the control over who
> authenticates with an identity URL, and you haven't told a Relying
> Party that that URL shouldn't be used to authenticate you anymore,
> you've lost control of your identity with that Relying Party.

It's not just about authentication, it's about Identity, isn't it?

-- 
David Corbin
Games, Gamers, Gaming - a blog - http://g3.machturtle.com



More information about the general mailing list