[OpenID] What's broken in OpenID 2.0? (IIW session)
Terry Hayes
Terry.Hayes at corp.aol.com
Thu May 10 17:56:54 UTC 2007
On May 9, 2007, at 23:46 , Martin Atkins wrote:
> Allen Tom wrote:
>>
>> Issue #2) OpenID recycling
>>
>> In order to free up desirable userids, many large OPs recycle userids
>> belonging to inactive accounts. If an OpenID is recycled, the new
>> owner
>> will be able to access the previous owner's data if the RP is not
>> aware
>> that the OpenID has changed ownership.
>>
>
> We have actually touched on this issue briefly in the past. One idea
> that was floated around was the use of a "serial number"[1] in
> addition
> to the OpenID URL, where providers would ensure that the same serial
> number is not used for two instances of the same identifier. However,
> this is troublesome because it requires RPs to change the way they
> store
> and identify identifiers, and is thus not backward-compatible.
>
> At the moment, OPs should not be recycling usernames at all. Any that
> are doing so are broken. That is not to say we should not come up
> with a
> better approach that allows recycling, however.
As OpenID is defined today, there is no way to prevent recycling from
occurring. OPs have no way to prevent recycling of OpenID URLs that
were delegating the authentication to them.
The (one-time) owner of the OpenID URL is responsible for deleting
any content associated with that id before they lose control over the
id.
Terry
More information about the general
mailing list