[OpenID] Using Account Creation Date to preempt recycleable OpenID's in v.next

[SitG Admin]

Sending again to the Specs list, for anyone who isn't subscribed to general:

At 10:02 AM +0530 12/2/09, Santosh Rajan wrote:
>I am not aware if the idea of using account creation dates to 
>preempt recycleable identifiers has been considered before, and i 
>thought it might be a cheap way to preempt the problem, and worth 
>looking into.

Search the list archives for "generation fragments". Effectively the 
same, except without leaking data about when the user created their 
account at an OP, and returned as part of the OpenID URI instead of 
as an extra parameter along the side. This makes it a unique URI 
without RP's having to look for, process, and keep track of another 
variable.

Unfortunately, this still doesn't actually help with the "persistent" 
part; if the domain name is taken over by a malicious 3rd party, they 
can reissue the *same exact identifier* (fragments and all), 
presumably acquired when they tricked the user into logging in at 
their "cute kitten photos site" RP.

This can be mitigated by giving a different unique URI to each RP 
(thus preventing each of them from compromising any other), but it 
might still be possible to discover that URI through traffic 
eavesdropping or the like, even if the RP isn't displaying that 
string anywhere, and an attacker could then compromise that specific 
account later. (Exact string comparison would also have to be forgone 
when RP's were trying to confirm that they were both thinking of the 
same user for some operation, lest one RP be able to find out what 
another RP used to identify the user, but a number of successive 
hashes on randomly generated salts volunteered by both parties can 
provide a fairly high level of assurance that the string is the same 
(the random salts are to counter rainbow tables).)

For a different approach to obtaining consistency, see the current 
("persistent, non-recycleable identifiers") thread :)

-Shade