[OpenID] Recycling OpenIDs (Was: What's broken in OpenID 2.0? (IIW session))
John Panzer
jpanzer at aol.net
Fri May 11 17:19:53 UTC 2007
ydnar wrote:
> On May 10, 2007, at 11:40 PM, Martin Atkins wrote:
>
>
>> The best practice could then be "Don't recycle identifier URLs. If you
>> *do* recycle identifier URLs, <do whatever we decide here only for the
>> new, duplicate URLs.>"
>>
>> The alternative is to say "If you want to be an OP, you forfeit the
>> ability to recycle your user accounts." I guess I'd be happy with that
>> as a solution too, especially since it might reduce the ever-growing
>> pool of OPs-on-the-back-of-other-services and encourage these sites to
>> actually implement RPs instead.
>>
>
> That’s a non-starter.
>
> A signed pair of user-provided URL + OP-provided opaque ID as the
> true identifier is a workable solution to this problem. Forcing a
> business policy is not.
>
> This doesn’t have to be OpenID 2.0, either. It can be an extension to
> OpenID 1.1 (or call it 1.2).
>
+1. This policy would effectively "steal" large amounts of namespace
from providers such as AOL.
And believe me, AOL is very concerned about recycling and the issues
therein. We of course have a globally unique identifier that's used
internally in exactly the way described above; this lets you
disambiguate whether example.org/fred is the same fred as last year or a
new fred. For policy reasons we can't expose that GUID, but perhaps a
hash(GUID,RP identifier) would be perfectly fine to expose in a standard
"permaGUID" attribute.
Yes, this doesn't help with disambiguating things like authors of blog
posts in archives. But there datestamps are usually available.
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070511/3276e579/attachment-0002.htm>
More information about the general
mailing list