[security] [OpenID] Re: generation fragments

[SitG Admin]

>Especially for sites such as Blogger, where the URIs may or may not 
>have been actually used as OpenIDs,

Here's my concern: what about sites such as ISP's that aren't 
providing mass content publication as a service, but merely happen to 
include "100MB web page at www.oursite.com/~yourusername!"? The host 
then might not even be *aware* of OpenID, but if they don't force 
users to limit themselves to working through pre-existing templates, 
a web-savvy user could simply upload a new version of one of their 
pages, to include OpenID headers, and gain their own Identity.

And if that host isn't OpenID-aware, it won't have any reason to 
provide generation fragments. The only question then is whether the 
ISP's policy (if any) on letting new accounts be created with the 
same username as a terminated account permits such things within a 
shorter time frame than the "OP/RP best practices" list suggests.

It's not safe to rely on an OP to provide generation fragments for 
this, since an Identify thief could just specify another OP in the 
headers (or run their own). For the same reason this can't be 
prevented by having an OP refuse to reset passwords (or other 
authentication measures) - the OP can be certain the user isn't the 
same one as was at that URI previously, but that won't matter if the 
Identity thief puts that OP out of the picture before going to the RP.

-Shade