[OpenID] Using Account Creation Date to preempt recycleable OpenID's in v.next
SitG Admin
sysadmin at shadowsinthegarden.com
Sun Dec 6 23:53:01 UTC 2009
>The most important thing for the RP isn't when an account was created,
>it's whether it's the same individual.
I thought it was "whether it *isn't* the same individual?
What we need, perhaps, is a non-correlation flag: a way for the user
to signify to that RP (through their OP) that they work at a shared
terminal (which may have keyloggers), they keep their password taped
to their desk, etcetera; *the user* does not trust that the next
person to log in will be them, so they want the RP to not record
their actions for purposes of making that history available (for
convenience or whatever) later on, *even to the same user* - because,
quite possibly, it *won't* be the same user. If the RP knows better
than to treat this URI as the same, even if it *is* the same, it goes
into the Privacy Policy and can be tested/audited by any user.
-Shade
More information about the general
mailing list