One of the issues that the OpenID 1.1 specification did not cover is the fact that an identity URL may not remain the property of a user over time. For large OpenID providers there are two cases they may run into: A user with a popular user name stops using the service, and they want to make that name available to new users. A user changes their user name. This may be followed by someone taking over the old name. In both cases, RPs would like some way to tell the difference between two different users who present the same ID at different points in time. The traditional method of solving this problem is to assign two identifiers to a user: a human friendly identifier and a persistent identifier (e.g. a UNIX user ID, a database row ID, etc). At any point in time, the human friendly identifier will point to a particular persistent identifier, but over time the relationship may not hold. Whenever a human-friendly identifier is presented, it is transformed to its persistent counterpart before storage. With OpenID 1.1, Relying Parties are expected to use the canonicalised form of what the user enters to identify them. It is possible to redirect the human friendly identifier to a persistent one, but that is not particularly nice if you are trying to co-locate the user's home page and OpenID. OpenID 2.0: XRIs The only solution to this problem in earlier drafts of OpenID 2.0 was to use XRIs. When resolving an XRI, the resulting XRDS document includes a persistent identifier in the element. For example, resolving "=foo" gives us a canonical ID of "=!4EFC.841C.8012.E2F8". If a user logs in to an RP with the former, the RP will record the latter. This means the following: If the user stops paying their $12/year and someone else registers "=foo", that new user will have a different persistent ID so won't be able to assume the identity. If the user registers another XRI pointing at the same persistent identifier, it will be considered equivalent. OpenID 2.0: URL identifiers But if you want to use URLs as identifiers, how do you solve the problem? One solution that was shot down was to allow the <CanonicalID> element in the XRDS document for a URL OpenID. Apparently this was rejected because it would result in another round trip during the discovery process to find the endpoint for the persistent ID. Instead, a feature was added to help detect the case where an identifier was recycled. As part of the positive authentication response, an OP is allowed to modify the claimed ID to include a fragment URI component. If the identifier gets reassigned, the OP is expected to return a different fragment. This solves problem (1) but not problem (2). As it stands, the OpenID 2.0 specification doesn't provide much guidance in letting a user change their human friendly URL identifier while maintaining the same identity. A Solution One solution to this problem is to make use…