Comments on: Identifier Reuse in OpenID 2.0

By: James Henstridge » OpenID 2.0 Specification Approved

James Henstridge » OpenID 2.0 Specification Approved — Mon, 10 Dec 2007 04:38:57 +0000

[...] stated previously that I think the support for identifier reuse with respect to URL identifiers is a bit lacking. [...]

By: James Henstridge

James Henstridge — Thu, 15 Nov 2007 01:57:36 +0000

Roman: my understanding is that there are a few things preventing this:

1. the XRI registry probably won’t let you do that.

2. if you could do that, you probably wouldn’t be able to authenticate using the XRI. This is roughly equivalent to copying the openid.* meta tags from someone else’s web page — you would be creating a new OpenID for the other user, not creating a way to impersonate them.

You’d be better off asking an XRI expert about this though. I have not read much about the implementation details.

By: Roman Beslik

Roman Beslik — Thu, 15 Nov 2007 01:45:26 +0000

>If the user registers another XRI pointing at the same persistent identifier, it will be considered equivalent.

Does it mean that I can write under someone’s name? Assuming that I’ve registered an XRI pointing to someone’s persistent identifier.

By: James Henstridge

James Henstridge — Tue, 13 Nov 2007 13:14:32 +0000

Garry: thanks for the info. That gets rid of the reuse problem, but does not address the renaming issue.

Atom: I do realise that processing would require an additional round trip — I said as much in the article. Given that it wouldn’t affect things in the general case where is not used, I don’t really agree that this is reason enough to reject it.

For instance, it requires no more round trips than the directed identity mode, and that is included in the specification.

By: atom

atom — Tue, 13 Nov 2007 00:41:39 +0000

Identifier Recycling is an issue that all large identity providers face, and freeing up desirable usernames that aren’t being actively used is always a high priority.

Section 11.5.1 of Draft 12 of the OpenID 2.0 spec recommends that OPs assign a unique url fragment to an OpenID url that changes when the OpenID changes ownership.

I believe that if the OP of http://example.com/james responded with http://example.com/id/42, the RP would be required to preform discovery on http://example.com/id/42 to verify that the OP is authorized to make claims about http://example.com/id/42. This will add an extra round trip, adding more latency to the signin process. See section 11.2 for more info. I don’t believe that using url fragments as generation identifiers will require an extra round trip.

By: Gary Krall

Gary Krall — Tue, 13 Nov 2007 00:17:18 +0000

James: By way of introduction I am the technical director for the PiP/SeatBelt products here at Verisign. I read with interest your article and I thought I would share with you what Verisign does. On the PiP we do not allow identifers to ever be re-used. Once an identifier has been claimed by a user we never allow for that to be re-issued in the system.

Just thought you’d be interested.

By: James Henstridge

James Henstridge — Mon, 12 Nov 2007 22:15:55 +0000

Tassos: I don’t think anything I’ve suggested breaks the “single digital identity” idea of OpenID.

As I said above, the main questions are (1) how to avoid someone else assuming an identity on OPs that allow identifier reuse and (2) on systems that allow a user to change their human-friendly identifier, can the user maintain their identity?

By: Tassos Bassoukos

Tassos Bassoukos — Mon, 12 Nov 2007 05:55:19 +0000

Wouldn’t your solution invalidate one of the major use-cases of OpenID, the ‘you need only one identifier’ one?