[OpenID] What's broken in OpenID 2.0? (IIW session)

[ydnar]

Can the OP override the user’s input?

User asserts:                  brad.livejournal.com
LiveJournal overrides with:    openid.livejournal.com/584593450349

Which (for LiveJournal) would be guaranteed unique, never recycled.

Randy



On May 9, 2007, at 11:46 PM, Martin Atkins wrote:

> Allen Tom wrote:
>>
>> Issue #2) OpenID recycling
>>
>> In order to free up desirable userids, many large OPs recycle userids
>> belonging to inactive accounts. If an OpenID is recycled, the new  
>> owner
>> will be able to access the previous owner's data if the RP is not  
>> aware
>> that the OpenID has changed ownership.
>>
>
> We have actually touched on this issue briefly in the past. One idea
> that was floated around was the use of a "serial number"[1] in  
> addition
> to the OpenID URL, where providers would ensure that the same serial
> number is not used for two instances of the same identifier. However,
> this is troublesome because it requires RPs to change the way they  
> store
> and identify identifiers, and is thus not backward-compatible.
>
> At the moment, OPs should not be recycling usernames at all. Any that
> are doing so are broken. That is not to say we should not come up  
> with a
> better approach that allows recycling, however.