[OpenID] Recycling OpenIDs (Was: What's broken in OpenID 2.0? (IIW session))

Martin Atkins mart at degeneration.co.uk
Fri May 11 17:51:39 UTC 2007 

John Panzer wrote:
> 
> And believe me, AOL is very concerned about recycling and the issues 
> therein.  We of course have a globally unique identifier that's used 
> internally in exactly the way described above; this lets you 
> disambiguate whether example.org/fred is the same fred as last year or a 
> new fred.  For policy reasons we can't expose that GUID, but perhaps a 
> hash(GUID,RP identifier) would be perfectly fine to expose in a standard 
> "permaGUID" attribute.
> 
> Yes, this doesn't help with disambiguating things like authors of blog 
> posts in archives.  But there datestamps are usually available. 
> 

An identifier plus a timestamp alone don't really help you much, because 
you probably don't know at what point in time the identifier ceased to 
be one person and started to be another.

This problem is really in two halves, with different needs each:

  A) HTTP URLs for authentication. This is to do with preventing a 
subsequent identifier owner from accessing data created by prior owners.

  B) HTTP URLs for identification. This is to do with figuring out who 
actually did something given only an OpenID identifier as attribution.

Email addresses are in much the same situation (they're often used as 
identifiers, and they're often recycled).

When email addresses are used for authentication, they're often paired 
up with a password to solve problem A. However, subsequent owners of an 
email address are often able to recover passwords by having them sent to 
the email account, so email fails need A.

When email addresses are used for identification, we are stuck using 
timestamps and knowledge obtained from elsewhere about when the 
identifier changed hands in order to figure out who posted something. 
Email fails need B also.

Therefore we have basically two choices:

  * Continue with the protocol as it currently stands, in which case we 
are no better but no worse than email addresses. Note that email 
addresses as identifiers have been around for much longer than OpenID 
identifiers and yet in practice it hasn't posed much of a problem.

  * Invent some mechanism for distinguishing old user and new user when 
performing OpenID authentication, at the cost of an inconsistent user 
experience (because old RPs won't support it) and a more complicated 
protocol. We still won't have solved problem B unless we can display the 
extra disambiguation token, but if you're going to change what's 
displayed then why not just make the URL different?

(It's interesting to note as an aside that XRI solves problem A but it 
does not solve problem B unless the canonical i-number is displayed 
alongside the i-name when attributing a user. We could probably learn 
some things from XRI synonyms when it comes to solving problem A.)

More information about the general mailing list