[OpenID] OpenId recycling and trust

John Panzer jpanzer at acm.org
Sun Sep 30 23:19:42 UTC 2007 

Peter Williams wrote:
> ....
> Both validation-phase infrastructures initiaitves ran into patents, that were highly general. Micali patents control hashtrees as applied to identity management, and I've forgotten the name of that guy who is all over the banking community with the trusted time patents that assure identity and records mgt infrastructures based on timestamps. He has some cool tech, leveraging trusted hardware engineering techniques for syndicating trusted time for use in identity management. But, he always sued his own customers, so we just refused to deal with him.
>   
I'm talking through my hat here since I don't know anything about these 
trusted time patents.  However, in relationship to the proposal below, 
it seems to me that there is prior art reaching back to the early years 
of ARPANet email and mailing list archives, USENET, etc. -- determining 
who said what, and what authority they might have had, being dependent 
on the timeframe in which they said it, which was always something 
provided as part of the messaging infrastructure.

It's also, in relationship to the proposal below, bloody obvious, but 
that observation is likely moot these days.

(I understood that there is a proposal in OpenID 2.0 that addresses this 
using opaque tags to differentiate different people when recycling 
occurs.  I should go re-read the spec.)
> ________________________________
>
> From: general-bounces at openid.net on behalf of Mark Fowler
> Sent: Sun 9/30/2007 1:34 AM
> To: OpenID List
> Subject: Re: [OpenID] OpenId recycling and trust
>
>
> On 30 Sep 2007, at 08:32, tom calthrop wrote:
>
>
> 	1. I'd like to have a solution at the consumer which is easy for us to 
>
> 	implement and does not require explanation to the user.
>
>
> I've got a little preposal;  Allow the standard to indicate recycling has occured.
>
> <teach who="grandma" what="to suck eggs">
> >From an OpenID consumer's point of view OpenID is a standard that lets you verify that a partiular person using a webbrowser is associated with a paricular URL.  This is very much like sending a email with a secret to an email address can be used to verify that someone owns an address.  If I get control of an OpenID, much the same way that if I get control of an email address, as far as most services out there are concerned I *am* that person and I have all the rights associated with them.  This is the inherent weakness in OpenID (and email) verification, but is the thing that makes it scalable and, well, open.
> </teach>
>
> So we have is the situation where if a domain is taken over then the person who now runs the domain can assume all the identities of the OpenID URLs under that domain.  There's very little we can do about that.  But what about the situation where a domain isn't taken over?  What if there's a situation where a OpenID URL itself is taken over but the domain remains in the original controller's hands (e.g. when someone signs up for an account using a recycled username?)
>
> In this situation we've potentially got someone like AOL or some other trusted party still running the domain (and presumably, controlling what goes on the pages.)  Wouldn't it be nice to provide them with some way of indicating that the person who is now associating with this OpenID URL is not the same person who originally associated with this URL? 
>
> This could be as simple as adding another tag into the HTML for the OpenID to indicate when they signed up
>
> <link rel="openid.server" href="http://www.livejournal.com/openid/server.bml">
> <link rel="openid.delegate"  href="http://2shortplanks.livejournal.com <http://2shortplanks.livejournal.com/> /">
> <link rel="openid.timestamp" href="http://www.openid.net/timestamps/1191140090">
>
> So, this means that when a consumer first associates someone with an OpenID URL they can also (optionally) record the timestamp (if present.)  As long as the OpenID URL contains the same timestamp the consumer knows that the account hasn't been recycled and it can continue to trust the OpenID URL.  But as soon as that timestamp changes, they know that the OpenID is no longer under the control of the original user and they can stop trusting it.
>
> Of course, this proposal doesn't do anything about the fact that OpenIDs are also used as unique identifiers for people (e.g. Jyte.)  If someone makes an assertion against someone who controls an openid and the person controlling that openid changes then the assertion is now being made about the wrong person.  This sucks, but the only solution I can see to this is saying "OpenIDs are never, ever, going to be reused" which while a wonderful idea, probably isn't going to happen.  At least my suggestion doesn't make this any worse.
>
> Comments?  Suggestions?  Warnocking?
>
> Mark.
> _______________________________________________
> general mailing list
> general at openid.net
> http://openid.net/mailman/listinfo/general
>
>
>

More information about the general mailing list