Sending again to the Specs list, for anyone who isn't subscribed to general:
At 10:02 AM +0530 12/2/09, Santosh Rajan wrote:
I am not aware if the idea of using account creation dates to preempt recycleable identifiers has been considered before, and i thought it might be a cheap way to preempt the problem, and worth looking into.
Search the list archives for "generation fragments". Effectively the same, except without leaking data about when the user created their account at an OP, and returned as part of the OpenID URI instead of as an extra parameter along the side. This makes it a unique URI without RP's having to look for, process, and keep track of another variable.
Unfortunately, this still doesn't actually help with the "persistent" part; if the domain name is taken over by a malicious 3rd party, they can reissue the *same exact identifier* (fragments and all), presumably acquired when they tricked the user into logging in at their "cute kitten photos site" RP.
This can be mitigated by giving a different unique URI to each RP (thus preventing each of them from compromising any other), but it might still be possible to discover that URI through traffic eavesdropping or the like, even if the RP isn't displaying that string anywhere, and an attacker could then compromise that specific account later. (Exact string comparison would also have to be forgone when RP's were trying to confirm that they were both thinking of the same user for some operation, lest one RP be able to find out what another RP used to identify the user, but a number of successive hashes on randomly generated salts volunteered by both parties can provide a fairly high level of assurance that the string is the same (the random salts are to counter rainbow tables).)
For a different approach to obtaining consistency, see the current ("persistent, non-recycleable identifiers") thread :)
-Shade _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
