[OpenID] Using Account Creation Date to preempt recycleable OpenID's in v.next
Allen Tom
atom at yahoo-inc.com
Wed Dec 2 19:34:53 UTC 2009
Hi Santosh,
Section 11.5.1 in the OpenID 2.0 spec specifically mentions using fragments
to differentiate between different users in the event that the OpenID URL is
recycled.
http://openid.net/specs/openid-authentication-2_0.html#identifying
Large identity providers often try to free up desirable userids by recycling
ids that are inactive.
I do agree that account creation date is very useful to RPs, and several RPs
have asked us to make the user¹s account creation date available via
Attribute Exchange. RPs that ask for this are usually interested in using
the account¹s tenure for anti-abuse purposes. The Yahoo OP will be making
the account creation date available via AX early next year. Hopefully we
can have a standard schema for this.
Allen
On 12/1/09 8:32 PM, "Santosh Rajan" <santrajan at gmail.com> wrote:
> I would like to first of all, apologies to all members of the community, for
> having made comments that has caused distress on this list. My apologies to
> all members.
>
>
> I am not aware if the idea of using account creation dates to preempt
> recycleable identifiers has been considered before, and i thought it might be
> a cheap way to preempt the problem, and worth looking into.
>
> All accounts have a logical creation date, a time stamp that in combination
> with an account identifier will be universally unique. I think all providers
> save this time stamp (or atleast the creation date) when the account is
> created. Let us call this timestamp the "account timestamp". This timestamp
> does not change through the life cycle of the identifier, and only changes
> when a new account is created with the same identifier (recycled).
>
> 1) All OP's can return the account timestamp as an extra parameter with every
> authentication response.
> 2) Every time a user logs in at an RP, the RP can verify that the timestamp
> has not changed.
> 3) If the timestamp has changed, it means that this a recycled identifier, and
> this is a new user.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091202/04d24476/attachment-0001.htm>
More information about the general
mailing list