URL relationship permanence
meepbear at hotmail.com
Thu Jun 30 04:12:35 PDT 2005
This is my understanding of the whole thing, so don't pay too much attention
to it as I might be completely off the mark :).
OpenID doesn't strictly confirm identity; it confirms ownership which is
something that we tend to identify with identity. In reality at any point in
time whoever owned something yesterday isn't necessarily still the owner of
The closest analogy I can think of is your mailing address (e-mail address
works fine too). It is yours and yours alone, but only for as long as you
still live there. If you moved out and I move in right away, I can take on
your 'identity' to whomever considers your mailing address to be you.
My point is that the burden of maintaining your 'identity' falls on you. If
Zack's domain gets compromised or he looses his ownership of it then it's
his responsability to inform all the involved parties of that fact.
The sites in question would then simply add his old OpenID URL to the list
of URLs it will not accept as identity, preventing anyone from impersonating
Another approach is mapping an OpenID URL to a local username. In this case
Zack would have both his OpenID URL and a local account at the message
board. He can use his OpenID URL as his crendentials to post or administer
(which the site would map to his board username) but if his OpenID URL
should become compromised he simply logs into the board the "old-fashioned"
way and removes the mapping of his old OpenID URL to his username, once
again preventing impersonation.
In this case the local account has a much higher trust factor than a valid
OpenID assertion so you would restrict things like password changes to
require a local login.
More information about the yadis