<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
A theoretical best web practice is to first make an old URL redirect to
the new one for a period of time with a 301 Permanent Redirect,
followed by (ideally) a 410 Gone Permanently response for another
period of time prior to recycling it.<br>
<br>
If an RP sees a 301 redirect for an OpenID URL it already 'knows',
after login should it ask the user if they want to change their old
OpenID to the new one? If an RP sees a 410 response, perhaps it should
mark the account as dead. And if an RP doesn't see a login for 2
years, perhaps it should flag the account as stale.<br>
<br>
DNS does not guarantee persistence and domain names can be re-used,
certainly over a time span of years. It's not possible to guarantee
"no reuse" if you're built on top of DNS. This type of id is helpful,
but stochastic.<br>
<br>
-John<br>
<br>
Coderre, Mark wrote:
<blockquote
cite="mid7B03492D640C0745B22C6DBF3A404234041A2E71@MDDP-EXCH-003.aeth.aetna.com"
type="cite">
<pre wrap="">The chance for id's referenced for access control to be "re-used" EVER
makes the id ambiguous and not helpful when securing private data for
that consumer.
-----Original Message-----
From: <a class="moz-txt-link-abbreviated" href="mailto:general-bounces@openid.net">general-bounces@openid.net</a> [<a class="moz-txt-link-freetext" href="mailto:general-bounces@openid.net">mailto:general-bounces@openid.net</a>] On
Behalf Of David Corbin
Sent: Friday, March 09, 2007 7:21 AM
To: <a class="moz-txt-link-abbreviated" href="mailto:general@openid.net">general@openid.net</a>
Subject: Re: [OpenID] Relying Party Best Practices
On Friday 09 March 2007 05:07, Mark Fowler wrote:
</pre>
<blockquote type="cite">
<pre wrap="">On 9 Mar 2007, at 00:55, Karl Anderson wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Consider the perverse case where example.org gets sold a few times
to people who use it to log into Jyte,
</pre>
</blockquote>
<pre wrap="">Er, if you sell your OpenID then you're selling your identity. Don't
do that unless you really want someone else to be able to claim
they're you.
</pre>
</blockquote>
<pre wrap=""><!---->
This places on an obligation on IPs to NEVER re-use userIds then,
doesn't it?
I haven't seen this mentioned anywhere, and is also a down side to using
delegation (unless you own the domain and will forever, even after your
dead).
Suppose I blog at foo.com, so I use <a class="moz-txt-link-freetext" href="http://dcorbin.foo.com">http://dcorbin.foo.com</a> as my openId
(which delegates the authentication to my IP). Now I choose to move my
blog over to bar.com, because I like their blogging software better. I
can reasonably expect foo.com to never re-use my ID for a year or two,
but eventually I expect it to be recycled.
</pre>
</blockquote>
<br>
<br>
<div class="moz-signature">-- <br>
<br>
<a href="http://feeds.feedburner.com/aol/SzHO"><img
src="cid:part1.08090003.09050708@aol.net"
style="border: 0pt none ; float: right;" alt="Abstractioneer"></a>John
Panzer<br>
System Architect<br>
<a class="moz-txt-link-freetext" href="http://abstractioneer.org">http://abstractioneer.org</a><br>
</div>
</body>
</html>