[OpenID] Namespace collisions?
SitG Admin
sysadmin at shadowsinthegarden.com
Mon Sep 8 21:29:21 UTC 2008
>What you're attempting in heuristically finding anonymous claimed
>ids is definitely interesting and in OpenID 1.x probably would have
>worked really well. I can't right now think of how to carry it over
>into 2.0 meaningfully though. :(
Let's say that all of www.someOP.com's URI's are of this format:
https://openid.someOP.com/username
To avoid being obvious about it, they DON'T use this other format:
https://openid.someOP.com/anonymous/username
What happens when an existing user has been assigned "s4nv8ws" as
their anonymous OpenID, and a new user comes along who wants to have
"s4nv8ws" as their account username?
Maybe the OpenID's claimed for "anonymous" usernames will have been
blocked from new account creation in the main account system as well.
This would make sense, but the more "anonymous" URI's allowed to
users the greater the chances of namespace collision with new users.
These odds can be manipulated by requiring that "anonymous" URI's be
constructed with randomly generated alphanumeric characters, but then
they LOOK like meaningless URI's. In the meantime, users may clamor
for being able to select arbitrary "anonymous" URI's that have
apparent meaning, wanting "suitability of purpose" rather than
difficulty of identifying URI's as "anonymous".
Maybe the OpenID system is entirely decoupled from account names,
requiring the users to accept randomly generated URI's so that *all*
of the URI's look that way and there can be no discrimination. The
problem here is that all URI's *are* anonymous because *none* of them
can be linked back to an existing account.
-Shade
More information about the general
mailing list