[OpenID] OpenId recycling and trust

Peter Williams pwilliams at rapattoni.com
Sun Sep 30 08:52:50 UTC 2007 

Folks tried to un-centralize and de-couple cert and SSL-based trust from the likes of VeriSign. Like Facebook today, VeriSign yesterday centralized and controlled - for a living. Controlling your behaviour once youve been hooked is the key to getting future reveue (or capitalization) out of you.
 
Folks tried two essential tacks to get free of VeriSign cvontrol - once they had got the value of its original user authentication act: hashtree validation, and time-based validation. These validation-phased controls were seen as counters to the alternatives of using issuing-phase controls - such as comparmentalized serialnumbers, trusted monotonic sequencers.
 
Both validation-phase infrastructures initiaitves ran into patents, that were highly general. Micali patents control hashtrees as applied to identity management, and I've forgotten the name of that guy who is all over the banking community with the trusted time patents that assure identity and records mgt infrastructures based on timestamps. He has some cool tech, leveraging trusted hardware engineering techniques for syndicating trusted time for use in identity management. But, he always sued his own customers, so we just refused to deal with him.

________________________________

From: general-bounces at openid.net on behalf of Mark Fowler
Sent: Sun 9/30/2007 1:34 AM
To: OpenID List
Subject: Re: [OpenID] OpenId recycling and trust


On 30 Sep 2007, at 08:32, tom calthrop wrote:


	1. I'd like to have a solution at the consumer which is easy for us to 

	implement and does not require explanation to the user.


I've got a little preposal;  Allow the standard to indicate recycling has occured.

<teach who="grandma" what="to suck eggs">
>From an OpenID consumer's point of view OpenID is a standard that lets you verify that a partiular person using a webbrowser is associated with a paricular URL.  This is very much like sending a email with a secret to an email address can be used to verify that someone owns an address.  If I get control of an OpenID, much the same way that if I get control of an email address, as far as most services out there are concerned I *am* that person and I have all the rights associated with them.  This is the inherent weakness in OpenID (and email) verification, but is the thing that makes it scalable and, well, open.
</teach>

So we have is the situation where if a domain is taken over then the person who now runs the domain can assume all the identities of the OpenID URLs under that domain.  There's very little we can do about that.  But what about the situation where a domain isn't taken over?  What if there's a situation where a OpenID URL itself is taken over but the domain remains in the original controller's hands (e.g. when someone signs up for an account using a recycled username?)

In this situation we've potentially got someone like AOL or some other trusted party still running the domain (and presumably, controlling what goes on the pages.)  Wouldn't it be nice to provide them with some way of indicating that the person who is now associating with this OpenID URL is not the same person who originally associated with this URL? 

This could be as simple as adding another tag into the HTML for the OpenID to indicate when they signed up

<link rel="openid.server" href="http://www.livejournal.com/openid/server.bml">
<link rel="openid.delegate"  href="http://2shortplanks.livejournal.com <http://2shortplanks.livejournal.com/> /">
<link rel="openid.timestamp" href="http://www.openid.net/timestamps/1191140090">

So, this means that when a consumer first associates someone with an OpenID URL they can also (optionally) record the timestamp (if present.)  As long as the OpenID URL contains the same timestamp the consumer knows that the account hasn't been recycled and it can continue to trust the OpenID URL.  But as soon as that timestamp changes, they know that the OpenID is no longer under the control of the original user and they can stop trusting it.

Of course, this proposal doesn't do anything about the fact that OpenIDs are also used as unique identifiers for people (e.g. Jyte.)  If someone makes an assertion against someone who controls an openid and the person controlling that openid changes then the assertion is now being made about the wrong person.  This sucks, but the only solution I can see to this is saying "OpenIDs are never, ever, going to be reused" which while a wonderful idea, probably isn't going to happen.  At least my suggestion doesn't make this any worse.

Comments?  Suggestions?  Warnocking?

Mark.

More information about the general mailing list