<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
ydnar wrote:
<blockquote cite="midC7D5994F-A859-436B-88EC-28B1675E9845@shaderlab.com"
type="cite">
<pre wrap="">On May 10, 2007, at 11:40 PM, Martin Atkins wrote:
</pre>
<blockquote type="cite">
<pre wrap="">The best practice could then be "Don't recycle identifier URLs. If you
*do* recycle identifier URLs, <do whatever we decide here only for the
new, duplicate URLs.>"
The alternative is to say "If you want to be an OP, you forfeit the
ability to recycle your user accounts." I guess I'd be happy with that
as a solution too, especially since it might reduce the ever-growing
pool of OPs-on-the-back-of-other-services and encourage these sites to
actually implement RPs instead.
</pre>
</blockquote>
<pre wrap=""><!---->
That’s a non-starter.
A signed pair of user-provided URL + OP-provided opaque ID as the
true identifier is a workable solution to this problem. Forcing a
business policy is not.
This doesn’t have to be OpenID 2.0, either. It can be an extension to
OpenID 1.1 (or call it 1.2).
</pre>
</blockquote>
+1. This policy would effectively "steal" large amounts of namespace
from providers such as AOL.<br>
<br>
And believe me, AOL is very concerned about recycling and the issues
therein. We of course have a globally unique identifier that's used
internally in exactly the way described above; this lets you
disambiguate whether example.org/fred is the same fred as last year or
a new fred. For policy reasons we can't expose that GUID, but perhaps
a hash(GUID,RP identifier) would be perfectly fine to expose in a
standard "permaGUID" attribute.<br>
<br>
Yes, this doesn't help with disambiguating things like authors of blog
posts in archives. But there datestamps are usually available. <br>
<br>
John<br>
</body>
</html>