<HTML>
<HEAD>
<TITLE>Re: [OpenID] Using Account Creation Date to preempt recycleable OpenID's in v.next</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>HI Santosh,<BR>
<BR>
Fragments definitely don’t look good to the end user, and that’s why Section 11.5 says that fragments don’t need to be displayed:<BR>
<a href="http://openid.net/specs/openid-authentication-2_0.html#identifying">http://openid.net/specs/openid-authentication-2_0.html#identifying</a><BR>
<BR>
Using the account creation date would have been fine (and probably less confusing) however, doing so would have added a dependency on AX. Also, as you mention the account creation date could potentially have some privacy implications, however an opaque random generation identifier does not.<BR>
<BR>
Thanks<BR>
Allen<BR>
<BR>
On 12/2/09 6:37 PM, "Santosh Rajan" <<a href="santrajan@gmail.com">santrajan@gmail.com</a>> wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hi Allen,<BR>
<BR>
It is just that i thought using fragments are less than optimal for recycled accounts.<BR>
1) If we are looking at OpenID's as more than just http URI's, possibly any other URI, this could complicate matters.<BR>
2) Unfortunately fragments just don't look good when printed.<BR>
3) Also the usage of fragments in OpenID does not reflect the true meaning of fragments. Fragments are used to denote different avatars of the "same entity", as in the semantic web. Or different parts of the same document as in html usage. However for OpenID we are using fragments to denote an entirely different entity, an new recycled account.<BR>
<BR>
If there are privacy concerns for using the account creation date i am open to using some thing else instead. But the idea was to avoid fragments by adding an extra parameter in the protocol, rather than in AX.<BR>
<BR>
<BR>
On Thu, Dec 3, 2009 at 1:04 AM, Allen Tom <<a href="atom@yahoo-inc.com">atom@yahoo-inc.com</a>> wrote:<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hi Santosh,<BR>
<BR>
Section 11.5.1 in the OpenID 2.0 spec specifically mentions using fragments to differentiate between different users in the event that the OpenID URL is recycled. <BR>
<BR>
<a href="http://openid.net/specs/openid-authentication-2_0.html#identifying">http://openid.net/specs/openid-authentication-2_0.html#identifying</a><BR>
<BR>
Large identity providers often try to free up desirable userids by recycling ids that are inactive.<BR>
<BR>
I do agree that account creation date is very useful to RPs, and several RPs have asked us to make the user’s account creation date available via Attribute Exchange. RPs that ask for this are usually interested in using the account’s tenure for anti-abuse purposes. The Yahoo OP will be making the account creation date available via AX early next year. Hopefully we can have a standard schema for this.<BR>
<FONT COLOR="#888888"><BR>
Allen<BR>
</FONT><BR>
<BR>
<BR>
<BR>
On 12/1/09 8:32 PM, "Santosh Rajan" <<a href="santrajan@gmail.com">santrajan@gmail.com</a> <<a href="http://santrajan@gmail.com">http://santrajan@gmail.com</a>> > wrote:<BR>
<BR>
</SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>I would like to first of all, apologies to all members of the community, for having made comments that has caused distress on this list. My apologies to all members.<BR>
<BR>
<BR>
I am not aware if the idea of using account creation dates to preempt recycleable identifiers has been considered before, and i thought it might be a cheap way to preempt the problem, and worth looking into.<BR>
<BR>
All accounts have a logical creation date, a time stamp that in combination with an account identifier will be universally unique. I think all providers save this time stamp (or atleast the creation date) when the account is created. Let us call this timestamp the "account timestamp". This timestamp does not change through the life cycle of the identifier, and only changes when a new account is created with the same identifier (recycled).<BR>
<BR>
1) All OP's can return the account timestamp as an extra parameter with every authentication response.<BR>
2) Every time a user logs in at an RP, the RP can verify that the timestamp has not changed.<BR>
3) If the timestamp has changed, it means that this a recycled identifier, and this is a new user.<BR>
<BR>
<BR>
</SPAN></FONT></BLOCKQUOTE></BLOCKQUOTE><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'><BR>
<BR>
</SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>