<HTML>
<HEAD>
<TITLE>Re: [OpenID] Using Account Creation Date to preempt recycleable OpenID's in v.next</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hi Santosh,<BR>
<BR>
Section 11.5.1 in the OpenID 2.0 spec specifically mentions using fragments to differentiate between different users in the event that the OpenID URL is recycled. <BR>
<BR>
<a href="http://openid.net/specs/openid-authentication-2_0.html#identifying">http://openid.net/specs/openid-authentication-2_0.html#identifying</a><BR>
<BR>
Large identity providers often try to free up desirable userids by recycling ids that are inactive.<BR>
<BR>
I do agree that account creation date is very useful to RPs, and several RPs have asked us to make the user’s account creation date available via Attribute Exchange. RPs that ask for this are usually interested in using the account’s tenure for anti-abuse purposes. The Yahoo OP will be making the account creation date available via AX early next year. Hopefully we can have a standard schema for this.<BR>
<BR>
Allen<BR>
<BR>
<BR>
<BR>
On 12/1/09 8:32 PM, "Santosh Rajan" <<a href="santrajan@gmail.com">santrajan@gmail.com</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>I would like to first of all, apologies to all members of the community, for having made comments that has caused distress on this list. My apologies to all members.<BR>
<BR>
<BR>
I am not aware if the idea of using account creation dates to preempt recycleable identifiers has been considered before, and i thought it might be a cheap way to preempt the problem, and worth looking into.<BR>
<BR>
All accounts have a logical creation date, a time stamp that in combination with an account identifier will be universally unique. I think all providers save this time stamp (or atleast the creation date) when the account is created. Let us call this timestamp the "account timestamp". This timestamp does not change through the life cycle of the identifier, and only changes when a new account is created with the same identifier (recycled).<BR>
<BR>
1) All OP's can return the account timestamp as an extra parameter with every authentication response.<BR>
2) Every time a user logs in at an RP, the RP can verify that the timestamp has not changed.<BR>
3) If the timestamp has changed, it means that this a recycled identifier, and this is a new user.<BR>
<BR>
<BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>