[OpenID] Namespace collisions?
Peter Williams
pwilliams at rapattoni.com
Mon Sep 8 21:43:21 UTC 2008
When we did a directed id prototype (with trustbearer) the openid was always of the form op identifer + pseudonym. The static pseud was the value saml2 assigns, when masking id. The right to assert that pseud depended on using the trustbearer smarcard/applet. Through trusted impersonation, the card/applet and the pseud were linked.
Seemed an obvious thing to do.
-----Original Message-----
From: SitG Admin <sysadmin at shadowsinthegarden.com>
Sent: Monday, September 08, 2008 2:29 PM
To: Andrew Arnott <andrewarnott at gmail.com>
Cc: general at openid.net <general at openid.net>
Subject: [OpenID] Namespace collisions?
>What you're attempting in heuristically finding anonymous claimed
>ids is definitely interesting and in OpenID 1.x probably would have
>worked really well. I can't right now think of how to carry it over
>into 2.0 meaningfully though. :(
Let's say that all of www.someOP.com's URI's are of this format:
https://openid.someOP.com/username
To avoid being obvious about it, they DON'T use this other format:
https://openid.someOP.com/anonymous/username
What happens when an existing user has been assigned "s4nv8ws" as
their anonymous OpenID, and a new user comes along who wants to have
"s4nv8ws" as their account username?
Maybe the OpenID's claimed for "anonymous" usernames will have been
blocked from new account creation in the main account system as well.
This would make sense, but the more "anonymous" URI's allowed to
users the greater the chances of namespace collision with new users.
These odds can be manipulated by requiring that "anonymous" URI's be
constructed with randomly generated alphanumeric characters, but then
they LOOK like meaningless URI's. In the meantime, users may clamor
for being able to select arbitrary "anonymous" URI's that have
apparent meaning, wanting "suitability of purpose" rather than
difficulty of identifying URI's as "anonymous".
Maybe the OpenID system is entirely decoupled from account names,
requiring the users to accept randomly generated URI's so that *all*
of the URI's look that way and there can be no discrimination. The
problem here is that all URI's *are* anonymous because *none* of them
can be linked back to an existing account.
-Shade
_______________________________________________
general mailing list
general at openid.net
http://openid.net/mailman/listinfo/general
More information about the general
mailing list