[OpenID] rationale behind short-lived associations
Will Norris
will at willnorris.com
Sun Nov 29 18:34:04 UTC 2009
One question has been bugging me for a while after reading the ICAM OpenID profile[0]. The ICAM profile specifies that associations must expire within at least 24 hours. What's the rationale behind this?
Or put another way, what about the benefits of using long-lived associations? Take SSH host keys for example. They MUST be long lived to actually serve the purpose they are intended for... to ensure that host you're talking to today is the same host you talked to yesterday, and the day before that. Now for the really paranoid, you would verify the SSH host key out of band some way, but I'm certainly not suggesting that (I've gotten my fill of that with SAML metadata exchange). But even without the out of band verification, there is a lot of value just in having the host key long lived.
Why are these same principals not applied to OpenID associations? Am I overloading the purpose of the association?
[0]: http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf
-will
More information about the general
mailing list