#1 is an extremely good point. 'Acct:' Webfinger identifiers do not currently allow fragments for example.
On Wednesday, December 2, 2009, Santosh Rajan <[email protected]> wrote: > Oops resending to specs. > > On Thu, Dec 3, 2009 at 8:07 AM, Santosh Rajan <[email protected]> wrote: > > Hi Allen, > It is just that i thought using fragments are less than optimal for recycled > accounts.1) If we are looking at OpenID's as more than just http URI's, > possibly any other URI, this could complicate matters. > > 2) Unfortunately fragments just don't look good when printed.3) Also the > usage of fragments in OpenID does not reflect the true meaning of fragments. > Fragments are used to denote different avatars of the "same entity", as in > the semantic web. Or different parts of the same document as in html usage. > However for OpenID we are using fragments to denote an entirely different > entity, an new recycled account. > > > If there are privacy concerns for using the account creation date i am open > to using some thing else instead. But the idea was to avoid fragments by > adding an extra parameter in the protocol, rather than in AX. > > > > On Thu, Dec 3, 2009 at 1:04 AM, Allen Tom <[email protected]> wrote: > > > > > > > Hi Santosh, > > Section 11.5.1 in the OpenID 2.0 spec specifically mentions using fragments > to differentiate between different users in the event that the OpenID URL is > recycled. > > http://openid.net/specs/openid-authentication-2_0.html#identifying > > Large identity providers often try to free up desirable userids by recycling > ids that are inactive. > > I do agree that account creation date is very useful to RPs, and several RPs > have asked us to make the user’s account creation date available via > Attribute Exchange. RPs that ask for this are usually interested in using the > account’s tenure for anti-abuse purposes. The Yahoo OP will be making the > account creation date available via AX early next year. Hopefully we can > have a standard schema for this. > > > Allen > > > > On 12/1/09 8:32 PM, "Santosh Rajan" <[email protected]> wrote: > > I would like to first of all, apologies to all members of the community, for > having made comments that has caused distress on this list. My apologies to > all members. > > > I am not aware if the idea of using account creation dates to preempt > recycleable identifiers has been considered before, and i thought it might be > a cheap way to preempt the problem, and worth looking into. > > All accounts have a logical creation date, a time stamp that in combination > with an account identifier will be universally unique. I think all providers > save this time stamp (or atleast the creation date) when the account is > created. Let us call this timestamp the "account timestamp". This timestamp > does not change through the life cycle of the identifier, and only changes > when a new account is created with the same identifier (recycled). > > 1) All OP's can return the account timestamp as an extra parameter with every > authentication response. > 2) Every time a user logs in at an RP, the RP can verify that the timestamp > has not changed. > 3) If the timestamp has changed, it means that this a recycled identifier, > and this is a new user. > > > > > > > > > -- > http://hi.im/santosh > > > > > > -- > http://hi.im/santosh > > > -- -- John Panzer / Google [email protected] / abstractioneer.org / @jpanzer _______________________________________________ specs mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-specs
