Questions about IIW Identifier Recycling Table
Josh Hoyt
josh at janrain.com
Fri Jun 8 00:03:06 UTC 2007
On 6/7/07, David Fuelling <sappenin at gmail.com> wrote:
> Over the last few days I've been thinking about your Identifier Recycling
> proposal[2], in addition to other proposals (Tokens, etc). Assuming I
> understand things correctly, it seems as if a hybrid of the public/private
> token approach would seem to garner the most checks, per the IIW grid. Not
> sure if my idea is technically correct or not, so please let me know if what
> I'm proposing falls short anywhere. Here goes....
I'm not sure I understand what's "public" about this. If I understand
it correctly, from the relying party's perspective, the user's account
is keyed off of the pair of the identifier and the token. This sounds
like URL + private token in that table. Am I missing something?
This approach was rejected at IIW because:
1. An extra database field is required (whether or not the data is
transmitted using attribute exchange)
2. There is no obvious way to tell if a user is the same user across
sites (The identifier contains a secret portion)
3. Concern about depending on a secret for a user to be able to sign
in to a site (David's Wordpress issue)
I'm not sure which of these issues were the basis for rejecting this
approach. To me, the biggest problem with it is (2)
Josh
More information about the specs
mailing list