Proposal for Recycling Identifiers in OpenID 2.0

Dick Hardt dick at sxip.com
Sun May 13 18:08:03 PDT 2007 

I had the good fortune of discussing URIs, URLs, fragments and the  
recycling issue with a number of smart W3C people at WWW2007 and they  
did not respond with horror at the concept of using fragments to  
recycle identifiers. Given this is a requirement for large OPs, here  
is a proposal. A number of details and issues remain, suggestions and  
constructive criticism encouraged!

-- Dick

Motivating use case:
	For large OPs, user identifier namespace is a scarce resource and  
they need to be able to recycle human readable identifiers

Design Considerations:

	+ Existing identifiers continue to work
	+ A human readable, memorable identifier can be entered by the user  
and displayed to other users
	+ A globally unique identifier is user by RPs that is different for  
different users of the same human readable identifier

Proposed Solution:

	Allow fragments to be an optional part of the identifier.
	An RP could display the URL sans fragment to the users of the website.
	RPs would use the complete URL including fragment to identify users.
	RPs would be able to delete other accounts with the same base URL  
when seeing a new fragment. (do we want to allow this?)

With OpenID 2.0, the identifier entered by the user does not need to  
be the same as the identifier returned by the OP

To login to an RP, the user could enter "openid.op.com/user" and if  
the complete identifier managed by the OP was "http://openid.op.com/ 
user#7356", this is what would be returned.

The following two identifiers returned by an OP would be considered  
different by an RP:		
	http://openid.op.com/user
	http://openid.op.com/user#7356

Although the user would enter  "openid.op.com/user" or   
"openid.op.com" in the OpenID prompt at the RP.
	
Outstanding Issues:

When resolving "http://openid.op.com/user#7356", does the RP resolve  
just  http://openid.op.com/user or is does the RP need to find the  
fragment "7536" in the document at  "http://openid.op.com/user"? If  
so, where is the fragment? Does it need to occur before. What does it  
mean when the document type is an XRDS document?

Does the document need to contain "http://openid.op.com/user#7356"  
for the RP to close the circle on what the OP is stating?

Will this break existing OpenID 1.1 RPs? Which ones? Is this going to  
be an issue for them?

More information about the specs mailing list