[OpenID] [security] Re: generation fragments

[SitG Admin]

>So, while I still retain possession of my URI (before I give it up), 
>I "log in" with my old URI to a universal OpenID revocation list. 
> Then I go ahead and give up control of that Identifier.  End of 
>story for the end user.

I like it . . . sounds simple enough for the end user to understand 
(whereas I would shudder trying to give them an accurate idea of how 
PKI works!), doesn't ask too much of them. It can probably be 
represented with a direct analogy to E-mail addresses.

>Perhaps OpenID v.next can include a provision that requires RPs to 
>check some 
><http://openid.net/revocationlist>openid.net/revocationlist URI 
>periodically to download a list of URIs to never allow login for.

That sounds more like a blacklist than revocation list. Or are you 
suggesting that OP's assign a generation fragment to *every* URI 
simply to account for the possibility that, at some future time, 
any/all of these URI's *might* change hands?

>And yes, OpenID is supposed to be decentralized.  I haven't figured 
>that one out yet.
>
>Thoughts?

Use a P2P structure where any OP in the community can use CRL's 
signed by others?

But here's a new headache: with the CRL possible merely by "the user 
logging in", there's no longer the freedom to simply switch to 
another OP if you don't like the one you have - a malicious OP could 
permanently terminate your Identity!

If you still had control of the URI this would be more of a reset 
than a termination, but I think that adding to the CRL should be 
determined by the same weak point that we already have: an ability to 
add headers to the URL of your Identity page. Whoever demonstrates 
ownership of that page has the power to specify an OP, so if they've 
got that then they're already holding the keys to your kingdom anyway.

-Shade
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080904/ced4e7d9/attachment-0002.htm>