[OpenID] OpenID provider with gibberish identity URLs to avoid nickname change issues
Chris Messina
chris.messina at gmail.com
Tue May 29 17:27:32 UTC 2007
I may be wrong, but it seems overly complex and redundant. What if
someone set their nickname to one of the opaque keys? While I applaud
the notion of allowing for changeable nicknames, I'm not sure that
it's necessary to bind the person's URL to their respective nickname.
Instead, it might just be better to accept that there is a limited
number of nicknames on your system and that folks can do what they do
everywhere and simply find a nickname that's available, knowing that
their preferred nick might not be available.
I'd say keep it simple -- as we've discussed before, the issue of
passing on OpenIDs becomes an issue if people can recycle or claim
previously used nicknames... I'm not sure what ramifications exist for
redirects -- since that's technically not delegation -- and I'd be
interested to hear what folks more familiar with the protocol says
about this.
Chris
On 5/28/07, Stuart Bishop <stuart at stuartbishop.net> wrote:
>
> I am working on turning a webapp into an OpenID provider. One if the
> features of the webapp is that the user's nicknames are changable. We would
> like nickname changes to not affect other applications we need to integrate
> with, so wish to use an unchanging opaque identifier instead of the user's
> nickname.
>
> So we are thinking of having https://openid.example.com/<nickname> issue a
> temporary redirect to https://openid.example.com/<opaquekey>. This way users
> can use the nicer, more memorable URL but name changes will not affect the
> systems we are integrating with.
>
> Can anyone see problems with this approach? The only issue I'm aware of is
> that the identity URL will look like gibberish on sites that choose to
> display it.
>
> I am also toying with the idea of instead of having a single identity url,
> instead generating a unique opaque identity URL for every trust root using a
> hash. Combined with the above, users should be able to enter their memorable
> identity, but every consumer would get a different opaque identity url
> making it impossible to correlate data across sites.
>
> Does this sound like a sane idea?
>
> --
> Stuart Bishop <stuart at stuartbishop.net>
> http://www.stuartbishop.net/
>
>
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>
--
Chris Messina
Citizen Provocateur &
Open Source Advocate-at-Large
Work: http://citizenagency.com
Blog: http://factoryjoe.com/blog
Cell: 412 225-1051
Skype: factoryjoe
This email is: [ ] bloggable [X] ask first [ ] private
More information about the general
mailing list