[OpenID] Using Account Creation Date to preempt recycleable OpenID's in v.next

Peter Watkins peterw at tux.org
Sun Dec 6 15:20:34 UTC 2009 

On Thu, Dec 03, 2009 at 08:07:46AM +0530, Santosh Rajan wrote:

> 2) Unfortunately fragments just don't look good when printed.

Have you seen the identifiers returned by Google's and Yahoo's
directed identity OP services? :-)

I think *most* users don't care about "attractive" identifiers
(just as most motorists don't care what their license plate
numbers are) -- they see OpenID primarily as a way of avoiding 
setting up additional login accounts on the Web. Those that do 
care about having pretty identifiers buy iNames or set up 
discovery on their blogs, etc.

Leah, are you reading this? Can you give any stats on directed
identity vs. users entering their own specific identifiers?

> If there are privacy concerns for using the account creation date i am open
> to using some thing else instead. But the idea was to avoid fragments by
> adding an extra parameter in the protocol, rather than in AX.

I think you are reading too much into this attribute. It's quite
conceivable that we might start acting as an OP for our residents (I
work for a city government that currently only acts as an RP**). It's 
also conceivable that we might delete accounts after a period of 
inactivity or after an individual moves out of the city -- let's say
John Doe works for the US State Department and moves out for a 3-year 
foreign assignment, and that means we delete his account.

What happens when Mr Doe moves back? We might decide that his new 
account should have the same identifier that his old account had 3 
years ago. We know it's the same user because he came to City Hall 
and showed appropriate ID. But your RP, fixated on "account creation 
time" apparently would treat him as a stranger even though we send
you the same identifer (plus fragment) as before.

The most important thing for the RP isn't when an account was created,
it's whether it's the same individual. OPs are in a much better 
position to make that decision.

-Peter

** I can easily see us acting as an OP supporting AX so that other 
sites can leverage our ability & willingness to verify things like
residency status.

More information about the general mailing list