[OpenID] Recycling OpenIDs (Was: What's broken in OpenID 2.0? (IIW session))
Martin Atkins
mart at degeneration.co.uk
Fri May 11 06:40:18 UTC 2007
Dick Hardt wrote:
> I've been reflecting on this and I wonder if recycling OpenIDs is a
> *good* thing.
>
> I understand the incentive for sites with large user bases to be able
> to recycle names.
>
> An OpenID is much more then just a means of proving it is me again at
> a website. An OpenID is a URI that is globally unique and that sites
> can and *will* attach reputation to. It is also human readable, so
> when I see the same OpenID at numerous sites, I expect it to refer to
> the same entity. We expect the URI to be consistent over time and space.
I agree completely with you, but in reality OPs don't seem to agree with
us on this. LiveJournal, for example, just recently purged a large
number of "unused" usernames from their system which are now up for
grabs by new users; these may well have been used as OpenID identifiers
at some point.
I'd be nice if we could provide a lightweight way to handle this so that
we can say "if you insist on recycling usernames, here's a way you can
do it in a less dangerous manner." Obviously it would be strongly
advised that this is not done, so hopefully dedicated providers like
MyOpenID would never do it but providers that primarily offer a separate
service (LiveJournal, AOL, Vox, ...) don't have to change their
recycling practices.
> Any special treatment such as unique fragment must be preserved as
> part of the URL wherever it is used and displayed otherwise there
> will be confusion as to who the OpenID refers. I think that once a
> URL has been handed out to a user, it is permanent.
Indeed I share your concern about having a "hidden" identifier that
can't be seen by users of a site. Perhaps a middle-road is to find some
way to put the unique "recycling identifier" in the fragment identifier
portion of the URL (the bit after the #) where it won't make any
difference in the resolving of the URL but it will make the URL
lexically different.
We'd have to think of a way to introduce that fragment without the user
having to manually enter it, though, and figure out when and how it
should be displayed to the user.
The best practice could then be "Don't recycle identifier URLs. If you
*do* recycle identifier URLs, <do whatever we decide here only for the
new, duplicate URLs.>"
The alternative is to say "If you want to be an OP, you forfeit the
ability to recycle your user accounts." I guess I'd be happy with that
as a solution too, especially since it might reduce the ever-growing
pool of OPs-on-the-back-of-other-services and encourage these sites to
actually implement RPs instead.
More information about the general
mailing list