URL relationship permanence

meepbear * meepbear at hotmail.com
Thu Jun 30 04:12:35 PDT 2005

This is my understanding of the whole thing, so don't pay too much attention 
to it as I might be completely off the mark :).

OpenID doesn't strictly confirm identity; it confirms ownership which is 
something that we tend to identify with identity. In reality at any point in 
time whoever owned something yesterday isn't necessarily still the owner of 
it today.

The closest analogy I can think of is your mailing address (e-mail address 
works fine too). It is yours and yours alone, but only for as long as you 
still live there. If you moved out and I move in right away, I can take on 
your 'identity' to whomever considers your mailing address to be you.

My point is that the burden of maintaining your 'identity' falls on you. If 
Zack's domain gets compromised or he looses his ownership of it then it's 
his responsability to inform all the involved parties of that fact.
The sites in question would then simply add his old OpenID URL to the list 
of URLs it will not accept as identity, preventing anyone from impersonating 

Another approach is mapping an OpenID URL to a local username. In this case 
Zack would have both his OpenID URL and a local account at the message 
board. He can use his OpenID URL as his crendentials to post or administer 
(which the site would map to his board username) but if his OpenID URL 
should become compromised he simply logs into the board the "old-fashioned" 
way and removes the mapping of his old OpenID URL to his username, once 
again preventing impersonation.
In this case the local account has a much higher trust factor than a valid 
OpenID assertion so you would restrict things like password changes to 
require a local login.

More information about the yadis mailing list