[OpenID] Using Account Creation Date to preempt recycleable OpenID's in v.next

Thu Dec 3 19:23:36 UTC 2009

HI Santosh,

Fragments definitely don¹t look good to the end user, and that¹s why Section
11.5 says that fragments don¹t need to be displayed:
http://openid.net/specs/openid-authentication-2_0.html#identifying

Using the account creation date would have been fine (and probably less
confusing) however, doing so would have added a dependency on AX. Also, as
you mention the account creation date could potentially have some privacy
implications, however an opaque random generation identifier does not.

Thanks
Allen

On 12/2/09 6:37 PM, "Santosh Rajan" <santrajan at gmail.com> wrote:

> Hi Allen,
> 
> It is just that i thought using fragments are less than optimal for recycled
> accounts.
> 1) If we are looking at OpenID's as more than just http URI's, possibly any
> other URI, this could complicate matters.
> 2) Unfortunately fragments just don't look good when printed.
> 3) Also the usage of fragments in OpenID does not reflect the true meaning of
> fragments. Fragments are used to denote different avatars of the "same
> entity", as in the semantic web. Or different parts of the same document as in
> html usage. However for OpenID we are using fragments to denote an entirely
> different entity, an new recycled account.
> 
> If there are privacy concerns for using the account creation date i am open to
> using some thing else instead. But the idea was to avoid fragments by adding
> an extra parameter in the protocol, rather than in AX.
> 
> 
> On Thu, Dec 3, 2009 at 1:04 AM, Allen Tom <atom at yahoo-inc.com> wrote:
>> Hi Santosh,
>> 
>> Section 11.5.1 in the OpenID 2.0 spec specifically mentions using fragments
>> to differentiate between different users in the event that the OpenID URL is
>> recycled. 
>> 
>> http://openid.net/specs/openid-authentication-2_0.html#identifying
>> 
>> Large identity providers often try to free up desirable userids by recycling
>> ids that are inactive.
>> 
>> I do agree that account creation date is very useful to RPs, and several RPs
>> have asked us to make the user¹s account creation date available via
>> Attribute Exchange. RPs that ask for this are usually interested in using the
>> account¹s tenure for anti-abuse purposes. The Yahoo OP will be making the
>> account creation date available via AX early next year.  Hopefully we can
>> have a standard schema for this.
>> 
>> Allen
>> 
>> 
>> 
>> 
>> On 12/1/09 8:32 PM, "Santosh Rajan" <santrajan at gmail.com
>> <http://santrajan@gmail.com> > wrote:
>> 
>>> I would like to first of all, apologies to all members of the community, for
>>> having made comments that has caused distress on this list. My apologies to
>>> all members.
>>> 
>>> 
>>> I am not aware if the idea of using account creation dates to preempt
>>> recycleable identifiers has been considered before, and i thought it might
>>> be a cheap way to preempt the problem, and worth looking into.
>>> 
>>> All accounts have a logical creation date, a time stamp that in combination
>>> with an account identifier will be universally unique. I think all providers
>>> save this time stamp (or atleast the creation date) when the account is
>>> created. Let us call this timestamp the "account timestamp". This timestamp
>>> does not change through the life cycle of the identifier, and only changes
>>> when a new account is created with the same identifier (recycled).
>>> 
>>> 1) All OP's can return the account timestamp as an extra parameter with
>>> every authentication response.
>>> 2) Every time a user logs in at an RP, the RP can verify that the timestamp
>>> has not changed.
>>> 3) If the timestamp has changed, it means that this a recycled identifier,
>>> and this is a new user.
>>> 
>>> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20091203/0b08e27f/attachment.htm>