[OpenID] OpenId recycling and trust

[tom calthrop]

Hi All,

I'm sure this issue has been bounced around a lot, but I I've not found 
"the answer", hence the following....

We have software to create a community in which people contribute. We 
identify them using OpenID. The problem is this: a person connects to us 
using http://tom.provider1.com, then abandons provider1.com in favor of 
provider2.com. Provider1.com then frees the account and another person 
registers with them who is then given the same URL. They then connect to 
our community and automatically become the author of the original 
contributors work.

I appreciate that is is probably something associated with the source of 
the "this is not a trust system" statement, however I would like to 
attempt to explore possible solution here because I think trust is 
important.

[small rant]...
It is rather painful having to explain to people that this is not a 
trust system when most OPs choose to put "trust once" or "trust always" 
on the bottom of a "trust" page;) ...
[/small rant]

This can be resolved in the consumer application by asking for a 
password, however I have been at pains to explain to people that you 
should never input a password associated with your OpenID anywhere 
except under the URL of their OpenID login page; hence from a usability 
perspective this something we are loathed to do.


I'd like to gather thoughts on / proposed solutions for this/trust for 2 
reasons:

1. I'd like to have a solution at the consumer which is easy for us to 
implement and does not require explanation to the user.
2. I think the issue of "trust" is going to come up again and again with 
OpenID and I'd like to know on a wider scale if their are any 
initiatives out their to address it.


Tom