[OpenID] Recycling OpenIDs (Was: What's broken in OpenID 2.0? (IIW session))
ydnar
ydnar at shaderlab.com
Fri May 11 17:10:56 UTC 2007
On May 10, 2007, at 11:40 PM, Martin Atkins wrote:
> The best practice could then be "Don't recycle identifier URLs. If you
> *do* recycle identifier URLs, <do whatever we decide here only for the
> new, duplicate URLs.>"
>
> The alternative is to say "If you want to be an OP, you forfeit the
> ability to recycle your user accounts." I guess I'd be happy with that
> as a solution too, especially since it might reduce the ever-growing
> pool of OPs-on-the-back-of-other-services and encourage these sites to
> actually implement RPs instead.
That’s a non-starter.
A signed pair of user-provided URL + OP-provided opaque ID as the
true identifier is a workable solution to this problem. Forcing a
business policy is not.
This doesn’t have to be OpenID 2.0, either. It can be an extension to
OpenID 1.1 (or call it 1.2).
Randy
More information about the general
mailing list