Oops resending to specs. On Thu, Dec 3, 2009 at 8:07 AM, Santosh Rajan <[email protected]> wrote:
> Hi Allen, > > It is just that i thought using fragments are less than optimal for > recycled accounts. > 1) If we are looking at OpenID's as more than just http URI's, possibly any > other URI, this could complicate matters. > 2) Unfortunately fragments just don't look good when printed. > 3) Also the usage of fragments in OpenID does not reflect the true meaning > of fragments. Fragments are used to denote different avatars of the "same > entity", as in the semantic web. Or different parts of the same document as > in html usage. However for OpenID we are using fragments to denote an > entirely different entity, an new recycled account. > > If there are privacy concerns for using the account creation date i am open > to using some thing else instead. But the idea was to avoid fragments by > adding an extra parameter in the protocol, rather than in AX. > > > On Thu, Dec 3, 2009 at 1:04 AM, Allen Tom <[email protected]> wrote: > >> Hi Santosh, >> >> Section 11.5.1 in the OpenID 2.0 spec specifically mentions using >> fragments to differentiate between different users in the event that the >> OpenID URL is recycled. >> >> http://openid.net/specs/openid-authentication-2_0.html#identifying >> >> Large identity providers often try to free up desirable userids by >> recycling ids that are inactive. >> >> I do agree that account creation date is very useful to RPs, and several >> RPs have asked us to make the user’s account creation date available via >> Attribute Exchange. RPs that ask for this are usually interested in using >> the account’s tenure for anti-abuse purposes. The Yahoo OP will be making >> the account creation date available via AX early next year. Hopefully we >> can have a standard schema for this. >> >> Allen >> >> >> >> >> On 12/1/09 8:32 PM, "Santosh Rajan" <[email protected]> wrote: >> >> I would like to first of all, apologies to all members of the community, >> for having made comments that has caused distress on this list. My apologies >> to all members. >> >> >> I am not aware if the idea of using account creation dates to preempt >> recycleable identifiers has been considered before, and i thought it might >> be a cheap way to preempt the problem, and worth looking into. >> >> All accounts have a logical creation date, a time stamp that in >> combination with an account identifier will be universally unique. I think >> all providers save this time stamp (or atleast the creation date) when the >> account is created. Let us call this timestamp the "account timestamp". This >> timestamp does not change through the life cycle of the identifier, and only >> changes when a new account is created with the same identifier (recycled). >> >> 1) All OP's can return the account timestamp as an extra parameter with >> every authentication response. >> 2) Every time a user logs in at an RP, the RP can verify that the >> timestamp has not changed. >> 3) If the timestamp has changed, it means that this a recycled identifier, >> and this is a new user. >> >> >> > > > -- > http://hi.im/santosh > > > -- http://hi.im/santosh
_______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
