Rabbit,<div><br></div><div>I think this is a reasonable idea. I don't mind an OpenID extension that could carry an account recovery piece of data around.<br clear="all">--<br>Andrew Arnott<br>"I [may] not agree with what you have to say, but I'll defend to the death your right to say it." - Voltaire<br>
<br><br><div class="gmail_quote">2009/4/3 Rabbit <span dir="ltr"><<a href="mailto:rabbit@cyberpunkrock.com">rabbit@cyberpunkrock.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
This thread is asking the question:<br>
"How do I control my identity when I lose control over my identifier?"<br>
<br>
I'm possibly misusing the term here but if OpenID is "user-centric" then its recovery mechanism should be too. RP trusts OP to authenticate the user. RP could also trust the OP to provide information that can be used to authenticate the user independently from the OP. This would be useful for a several reasons (one-to-one privacy, OP unavailable, domain expiration, bear attacks a data center, totalitarian government takes over).<br>
<br>
Just to illustrate the concept further, here's an **example** of how this could work. (Walk away with the concepts here, not the details, please.)<br>
<br>
When you sign up for the OP, you are asked to supply an emergency passphrase. A signature is generated by the function "hash( your_openid + emergency_pass )". This signature is given to each RP you sign into. When your OP is not available, the RP can still authenticate you by using the traditional "Identifier + Credential" method in widespread usage today by asking you for your emergency passphrase. The RP will never know your emergency passphrase until it needs to know. Obviously, this must not be the same credentials used to authenticate with your OP.<br>
<br>
Again, the above is just an example. The concept can be expanded upon to provide a decentralized account recovery protocol.<br><font color="#888888">
<br>
=Rabbit</font><div><div></div><div class="h5"><br>
_______________________________________________<br>
general mailing list<br>
<a href="mailto:general@openid.net" target="_blank">general@openid.net</a><br>
<a href="http://openid.net/mailman/listinfo/general" target="_blank">http://openid.net/mailman/listinfo/general</a><br>
</div></div></blockquote></div><br></div>