Two Identifiers - no caching advantage

Josh Hoyt josh at janrain.com
Thu Oct 19 19:20:37 UTC 2006


On 10/19/06, Josh Hoyt <josh at janrain.com> wrote:
> when she has control

Sorry that I didn't put this all in one message, but:

I think it's worthwhile to be aware of what might happen in scenarios
where your identifier has been stolen, but it should not have much
bearing on which proposal gets accepted, since the attacker will have
been able to inflict much greater harm elsewhere. I doubt that the
protocol can offer much protection if someone actually gets control of
your identifier.

For instance, some RPs will offer a way to transition an account from
one identifier to another (for e.g. domain names expiring). The
attacker can just transition those accounts to an identifier of hers.

Josh



More information about the specs mailing list