[OpenID] Recycling OpenIDs (Was: What's broken in OpenID 2.0? (IIW session))

John Panzer jpanzer at aol.net
Wed May 16 17:28:19 UTC 2007 

Martin Atkins wrote:
> John Panzer wrote:
>   
>> And believe me, AOL is very concerned about recycling and the issues 
>> therein.  We of course have a globally unique identifier that's used 
>> internally in exactly the way described above; this lets you 
>> disambiguate whether example.org/fred is the same fred as last year or a 
>> new fred.  For policy reasons we can't expose that GUID, but perhaps a 
>> hash(GUID,RP identifier) would be perfectly fine to expose in a standard 
>> "permaGUID" attribute.
>>
>> Yes, this doesn't help with disambiguating things like authors of blog 
>> posts in archives.  But there datestamps are usually available. 
>>
>>     
>
> An identifier plus a timestamp alone don't really help you much, because 
> you probably don't know at what point in time the identifier ceased to 
> be one person and started to be another.
>
> This problem is really in two halves, with different needs each:
>
>   A) HTTP URLs for authentication. This is to do with preventing a 
> subsequent identifier owner from accessing data created by prior owners.
>
>   B) HTTP URLs for identification. This is to do with figuring out who 
> actually did something given only an OpenID identifier as attribution.
>   
In many cases, you also have a time context.  Almost everything 
published on the web and other places has at least a simple timestamp on 
it: Blog posts, web pages, events, log entries... In a large and 
interesting subset of the problem space, you can make a 99% accurate 
inference that http://bob.com/ on May 15, 2007 is almost certainly the 
same person as http://bob.com/ on May 17, 2007.  If you have some best 
practices that put a known buffer between recyclings (1 month, 1 year, 
whatever) you can improve this accuracy.  And of course if you control 
the data you can always add a timestamp.  (If you don't control it, 
perhaps you can't achieve 100% accuracy anyway.)

In other word, I disagree with the premise that there's not enough 
information to achieve a reasonable approximation of B, as long as we 
restrict B to trying to answer "do identifiers X at time0 and X at time1 
denote the same identity?".

I don't see another way to solve this other than by adding a GUID to the 
identifier-as-published-on-the-web (or at least a revision number) which 
is, in a word, ugly.  Also no less prone to social engineering attacks IMHO.

-John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070516/d5d3ea99/attachment-0001.htm>

More information about the general mailing list