[OpenID] Recycling OpenIDs (Was: What's broken in OpenID 2.0? (IIW session))

Fri May 11 06:40:18 UTC 2007

Dick Hardt wrote:
> I've been reflecting on this and I wonder if recycling OpenIDs is a  
> *good* thing.
> 
> I understand the incentive for sites with large user bases to be able  
> to recycle names.
> 
> An OpenID is much more then just a means of proving it is me again at  
> a website. An OpenID is a URI that is globally unique and that sites  
> can and *will* attach reputation to. It is also human readable, so  
> when I see the same OpenID at numerous sites, I expect it to refer to  
> the same entity. We expect the URI to be consistent over time and space.

I agree completely with you, but in reality OPs don't seem to agree with 
us on this. LiveJournal, for example, just recently purged a large 
number of "unused" usernames from their system which are now up for 
grabs by new users; these may well have been used as OpenID identifiers 
at some point.

I'd be nice if we could provide a lightweight way to handle this so that 
we can say "if you insist on recycling usernames, here's a way you can 
do it in a less dangerous manner." Obviously it would be strongly 
advised that this is not done, so hopefully dedicated providers like 
MyOpenID would never do it but providers that primarily offer a separate 
service (LiveJournal, AOL, Vox, ...) don't have to change their 
recycling practices.

> Any special treatment such as unique fragment must be preserved as  
> part of the URL wherever it is used and displayed otherwise there  
> will be confusion as to who the OpenID refers. I think that once a  
> URL has been handed out to a user, it is permanent.

Indeed I share your concern about having a "hidden" identifier that 
can't be seen by users of a site. Perhaps a middle-road is to find some 
way to put the unique "recycling identifier" in the fragment identifier 
portion of the URL (the bit after the #) where it won't make any 
difference in the resolving of the URL but it will make the URL 
lexically different.

We'd have to think of a way to introduce that fragment without the user 
having to manually enter it, though, and figure out when and how it 
should be displayed to the user.

The best practice could then be "Don't recycle identifier URLs. If you 
*do* recycle identifier URLs, <do whatever we decide here only for the 
new, duplicate URLs.>"

The alternative is to say "If you want to be an OP, you forfeit the 
ability to recycle your user accounts." I guess I'd be happy with that 
as a solution too, especially since it might reduce the ever-growing 
pool of OPs-on-the-back-of-other-services and encourage these sites to 
actually implement RPs instead.